Amazon S3 Security Gaffe Exposes Thousands of Vets, Intelligence Personnel
The personal data of thousands of U.S. military veterans, law enforcement officers and intelligence personnel was left exposed in an unsecured Amazon Simple Storage Service (S3) bucket, researchers reported this weekend.
Discoveries of wide-open S3 buckets containing personally identifiable information have been worryingly commonplace in recent months, eventually prompting Amazon Web Services (AWS) to directly remind its users to block public access to their storage buckets (which are set to private by default).
This latest instance was reported on Sept. 2 by security software firm UpGuard, the same company that earlier this summer unearthed misconfigured S3 buckets containing data on Verizon account holders, Dow Jones customers and, on two separate occasions, U.S. voters.
According to UpGuard's report, the S3 bucket in question contained thousands of resumes electronically submitted by job seekers to military contractor TigerSwan and managed by TalentPen, a third-party recruitment services provider. The resumes were uploaded from 2008 to February 2017, spanning the entirety of TigerSwan's contract with TalentPen, and were located in a public S3 bucket in an AWS subdomain named "tigerswanresumes."
The exposed data included home addresses, phone numbers and employment histories, as well as passport numbers, driver's license numbers and Social Security numbers. Unlike previous S3 bucket misconfigurations, this one also exposed especially sensitive information due to the backgrounds of the affected individuals -- mostly U.S. military veterans and intelligence personnel, including those with high-level security clearances. UpGuard counted former United Nations workers, law enforcement officers, veterans of Afghanistan and Iraq, foreign translators and at least one active Secret Service member among those whose resumes were put at risk.
UpGuard first e-mailed TigerSwan of the exposed files on July 21, but they were not taken offline until Aug. 24, after several back-and-forth correspondences involving UpGuard, TigerSwan, TalentPen and AWS. TigerSwan, which confirmed UpGuard's report in its own statement, attributed the month-long delay to confusion over whether UpGuard's initial e-mail was legitimate or "a potential phishing scam."
TigerSwan claimed it was not aware that the TalentPen-managed S3 bucket had been left online and public even after its contract had been terminated. According to TigerSwan, the bucket had initially been spun up by TalentPen in February as a means to transfer the resume files to TigerSwan's secure server.
"To close out our account, TalentPen set up a secure site to transfer the resume files connected to the project to TigerSwan's secure server. This transfer site was secured by a 20-character user id and a 256-bit secret access key, and it had a limited lifespan, from February 6th to February 10th," TigerSwan said in its statement. "TigerSwan downloaded the files to our secure server on February 8th. In accordance with TalentPen's procedure, we notified them that the download was complete, initiating their process to remove the files."
However, the files apparently remained undeleted until UpGuard reached out to AWS directly, about a month after their initial discovery.
"Since we did not control or have access to this site, we were not aware that these documents were still on the web, much less, were publicly facing," TigerSwan said.
Many of the S3 misconfigurations discovered in recent months similarly involved third-party vendors, which UpGuard characterized as a common weak spot in many organizations' security environments. "When an enterprise with a highly resilient and secure IT toolchain outsources the job of handling sensitive or valuable data to a third-party vendor lacking such well-designed processes and systems, it will nevertheless be the hiring enterprise that pays the biggest price," UpGuard said.
For its part, TigerSwan said it is reviewing its "vendor selection processes and their data management practices" in the wake of the incident.
Gladys Rama is the senior site producer for RCPmag.com and senior editor of AWSInsider.net.