Security Firm Exposed More Than 9,000 Job Applications in Data Breach

Personally identifiable records were inadvertently exposed on more than 9,000 job applicants for a North Carolina-based private security firm. In hundreds of cases, the data included a job applicant’s claim of a “Top Secret” security clearance.

The company, TigerSwan, told a cyber risk team from Upguard that a third-party vendor responsible for handling new job applicants did not properly secure the applicants’ data once the vendor was terminated and the data transferred back to TigerSwan in February of this year. The exposed files were not discovered until July 20.

The data breach resulted from an improperly configured and secured S3 data storage bucket provided to the vendor — a recruiting firm named TalentPen — by Amazon Web Services (AWS). A similar oversight was responsible for the exposure of some 14 million Verizon customers’ records earlier this year.

Most of the exposed records belonged to U.S. military veterans who had provided a lot of detail about their past duties, including sensitive defense and intelligence roles. The exposed data included information typically found on a résumé: name, address, phone, email address.

But the résumé data also included such non-typical items as security clearances, driver license numbers, passport numbers and partial Social Security numbers. According to UpGuard, that wasn’t the worst of it:

Most troubling is the presence of resumes from Iraqi and Afghan nationals who cooperated with US forces, contractors, and government agencies in their home countries, and who may be endangered by the disclosure of their personal details.

TigerSwan has posted a detailed explanation of its actions and timeline and says it is evaluating its “vendor selection processes and their data management practices.” The firm lays most of the blame for the exposed data at the feet of its vendor, and CEO Jim Reese offered this statement to those who may have had their data exposed:

As a Service-Disabled, Veteran-Owned Small Business, we find the potential exposure of their resumes inexcusable. To our colleagues and fellow veterans, we apologize.