Image: Gizmdo/GMG, Photo: Getty
Thousands of files containing the personal information and expertise of Americans with classified and up to Top Secret security clearances have been exposed on an unsecured Amazon server, potentially for most of the year.
The files have been traced back to TigerSwan, a North Carolina-based private security firm. But in a statement on Saturday, TigerSwan implicated TalentPen, a third-party vendor apparently used by the firm to process its new job applicants.
"At no time was there ever a data breach of any TigerSwan server," the firms said. "All resume files in TigerSwan's possession are secure. We take seriously the failure of TalentPen to ensure the security of this information and regret any inconvenience or exposure our former recruiting vendor may have caused these applicants. TigerSwan is currently exploring all recourse and options available to us and those who submitted a resume."
TalentPen could not be immediately reached for comment.
Found on an insecure Amazon S3 bucket without the protection of a password, the cache of roughly 9,400 documents reveal extraordinary details about thousands of individuals who were formerly and may be currently employed by the US Department of Defence and within the US intelligence community.
Other documents reveal sensitive and personal details about Iraqi and Afghan nationals who have cooperated and worked alongside US military forces in their home countries, according to the security firm who discovered and reviewed the documents.
The files, unearthed this summer by a security analyst at the California-based cybersecurity firm UpGuard, were discovered in a folder labelled "Resumes" containing the curriculum vitae of thousands of US citizens holding Top Secret security clearances — required for their jobs at the Central Intelligence Agency, the National Security Agency, and the US Secret Service, among other agencies.
Many of the files are timestamped and indicate that they were uploaded to the server in mid-February. At this time, there is no way to know for how long the information has been publicly accessible.
Founded in 2008 by former a Delta Force operative, retired US Army Lt. Colonel James Reese, TigerSwan has operated on behalf of the U.S. military and State Department in Iraq and Afghanistan, as well as domestically on behalf of corporations. The firm reported employs a staff of roughly 350 with offices across the Middle East, in North and West Africa, Latin America, and Japan.
Beyond its battlefield utility, TigerSwan International has provided construction and security services in Saudi Arabia, where the firm is licensed by the monarchy's general investment authority; protection details for corporate sponsors and sports fans during 2014 Sochi Olympics in Russia; and more recently, aided US law enforcement tasked with countering protests around the construction of the Dakota Access pipeline.
Due to the number of resumes involved, the full impact of the breach has yet to be realised. Some of the applicants were apparently involved in very sensitive and highly-classified military operations. According to UpGuard, at least one of the applicants cited his involvement in the transportation of nuclear weapons components and activation codes. Another applicant referenced his employment at the infamous Abu Ghraib black site near Baghdad, where prisoners are known to have been tortured.
Other applicants, who provided their home address, as well as personal email accounts and phone numbers, have been employed — and may currently be employeed — within the US intelligence community and working on top secret programs, according to UpGuard. A Gizmodo investigation into the potential consequences of the breach was interrupted on Saturday after TigerSwan went public with a statement on its website.
The repercussions for foreign nationals who applied to work at TigerSwan, and who currently live in conflict zones such as Iraq, has not yet been fully assessed.
This article will be updated as more information becomes available.
Kate Conger contributed additional reporting.