US military contractor exposes thousands of personnel files

Military contractor and international security firm TigerSwan has exposed 9,402 documents containing the sensitive personal information of US military personnel and applicants for military and intelligence positions.

The documents, which date back to 2009, include individuals’ home addresses, phone numbers, and email addresses. Some documents also included ‘top secret’ information, such as security clearances, driver’s license numbers, passport numbers, and at least partial Social Security numbers.

Many Iraqi and Afghan nationals who cooperated with US military forces and government agencies in their home countries were also affected.

Third party to blame

The data was discovered by Chris Vickery, a researcher at security firm UpGuard, who said the information was left on an Amazon Web Services S3 storage bucket and accidentally configured for public access.

TigerSwan blamed a third-party recruitment company, TalentPen, for the mistake. In a statement, TigerSwan said it had terminated TalentPen’s contract in February 2017. It explains:

To close out our account, TalentPen set up a secure site to transfer the resume files connected to the project to TigerSwan’s secure server. This transfer site was secured by a 20-character user id and a 256-bit secret access key, and it had a limited lifespan, from February 6th to February 10th.

However, the files were never taken down and were allowed to remain in the publicly accessible storage bucket for a month. TigerSwan’s statement claims: “Since we did not control or have access to this site, we were not aware that these documents were still on the web, much less, were publicly facing.”

Identifying the problem

Although TigerSwan wasn’t directly responsible for the breach, it admitted that it failed to identify the problem after Vickery contacted the company on July 21. International Business Times reports that TigerSwan reviewed its systems, found no evidence of a breach, and dismissed Vickery’s email as a “potential phishing scam”. A phone call from Vickery the next day was also “not considered credible”.

TigerSwan did contact Amazon Web Services on July 22, and the files were eventually removed on August 24.

This incident shows how important it is for organizations to review the security of any third parties they share personal information with. Since it’s becoming much more common to process and store data with third parties, it’s no wonder that the revised version of ISO 27001 dedicates a whole section to this issue.

You can learn how to manage this process and stay secure in general with our Information Security & ISO27001 Staff Awareness E-Learning Course.

This course provides a comprehensive introduction to information security and ISO 27001, describing seven real-life scenarios that illustrate the importance of information security and how ISO 27001 can help. It also offers advice on applying the Standard’s requirements and details the important documentation you should be aware of.

Take a look at this course now: