Not all data breaches are caused by hackers and identity thieves. In some situations, it is the companies themselves that accidentally make private information extremely public on unsecured servers. That’s what happened in a recent data breach caused by a third-party vendor entrusted with the resumes of individuals who have worked in the U.S. intelligence community.
The companies associated with this breach—which was made public on September 2, 2017—are:
- TigerSwan, a private security firm based in North Carolina
- TalentPen, a third-party vendor used by TigerSwan to process new job applicants
- UpGuard, a cybersecurity firm in California that discovered the sensitive documents on an unsecured Amazon S3 bucket
Individuals who may have been affected by this breach include:
Anyone who voluntarily filled out a resume form on TigerSwan’s website between 2008 and 2017. The 9,400 documents found in a folder labeled “resumes” contained the resumes and personal contact information for thousands of U.S. citizens holding Top Secret security clearances. Applicants may have been currently or formerly employed by the U.S. Department of Defense, the Central Intelligence Agency, the National Security Agency, the U.S. Secret Service, and other government agencies.
If you think your personal information may have been compromised in this breach, you can call TigerSwan at 919-274-9717 to see if your resume included any personally identifiable information.
How did this data breach happen?
The exact details are not 100 percent clear yet, but a great deal of information has been shared. TigerSwan outlined a timeline of events in a press release issued on their website.
- 2008: TigerSwan retained TalentPen to help with voluntary resume submission and organization.
- February 2017: TigerSwan ended its contract with TalentPen and TalentPen set up a secure site to transfer any TigerSwan-related files back to TigerSwan’s secure server. The transfer site had a limited lifespan from February 6 to February 10, but it was secured by a 20-character user ID and a 256-bit secret access key. TigerSwan downloaded the files on February 8 and let TalentPen know that they were done.
- July 2017: UpGuard discovered the unsecured files and tried to alert TigerSwan. At first TigerSwan thought it was a hoax, as they didn’t have control of the server and weren’t sure what UpGuard was even referring to.
- August 24, 2017: UpGuard contacted Amazon Web Services about the problem. Amazon then let Upguard know the files had been removed by Amazon’s client, TalentPen. TigerSwan was never alerted by TalentPen or Amazon.
- August 31, 2017: TigerSwan received calls from reporters asking about the data breach. It began investigating what was going on and discovered TalentPen had used a bucket site on Amazon Web Services and never deleted the files after the log-in credentials expired in February.
TalentPen eventually admitted they were at fault only after TigerSwan spoke with UpGuard. TigerSwan said, “The resume files in question have now been properly secured and no additional risk of exposure exists.” Of course, at this time it is also unclear who may have gained access to this information during the 6-month period it was publicly available.