Military contractor exposes top-secret information in Amazon’s cloud

Top-secret data on military personnel and contractors has been exposed online in another case of a company misconfiguring Amazon Web Service Inc. cloud storage service.

The latest AWS bungle comes from a private military contractor from North Carolina called TigerSwan. It involves resumes and other personal details for job applicants, including information classified “Top Secret,” being left on an S3 bucket, or unit of cloud storage, that had been configured to allow public access.

If configuring an S3 bucket insecurely isn’t bad enough, the company was allegedly warned that the files on the server were publicly available in July but the files remained accessible until Aug. 24.

“The exposed documents belong almost exclusively to US military veterans, providing a high level of detail about their past duties, including elite or sensitive defense and intelligence roles,” security firm UpGuard Inc., who made the initial discovery, wrote in a blog post Saturday. “They include information typically found on resumes, such as applicants’ home addresses, phone numbers, work history, and email addresses” but also “sensitive information, such as security clearances, driver’s license numbers, passport numbers and at least partial Social Security numbers.”

TigerSwan aimed to deflect the blame, accusing a subcontractor it uses called TelentPen LLC for the security breach. “TalentPen never notified us of their negligence with the resume files nor that they only recently removed the files,” the company said in a statement Saturday. “It was only when we reached out to them with the information on Aug. 31 did they acknowledge their actions.”

John Suit, chief technology officer at data protection firm Trivalent Inc., told SiliconANGLE that roughly 9,400 documents were exposed in the breach, highlighting the damaging effects of leaving critical data unprotected. “This information was discovered in a folder labeled ‘resumes’ that was in a visible location accessible by malicious parties. This breach highlights the importance of taking the guesswork out of data security by employing protection at the file level, which ensures individual files are protected at all times.”

Noting that this wasn’t the first time confidential data had been exposed on AWS, Fugue Inc. Chief Executive Officer Josh Stella explained to SiliconANGLE that “exposures due to human error, such as misconfigured AWS S3 buckets, are going to continue as long as organizations fail to implement policy-as-code and full infrastructure lifecycle automation.

“If you still rely on bolted-on security monitoring, manual incident remediation and security audits to keep your data safe, your organization will remain at risk of these kinds of breaches,” he added.

Military contractors seem to be particularly inept at configuring security settings on AWS. Booz Allen Hamilton Inc. also exposed confidential data in a similar fashion in June.

Photo: U.S. Marine Corps/Wikimedia Commons

A message from John Furrier, co-founder of SiliconANGLE:

Show your support for our mission by joining our Cube Club and Cube Event Community of experts. Join the community that includes Amazon Web Services and Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.

Join Our Community 

Click here to join the free and open Startup Showcase event.

“TheCUBE is part of re:Invent, you know, you guys really are a part of the event and we really appreciate your coming here and I know people appreciate the content you create as well” – Andy Jassy

We really want to hear from you, and we’re looking forward to seeing you at the event and in theCUBE Club.

Click here to join the free and open Startup Showcase event.