Thousands of files containing the personal information and expertise of Americans with classified and up to Top Secret security clearances have been exposed by an unsecured Amazon server, potentially for most of the year.
The files have been traced back to TigerSwan, a North Carolina-based private security firm. But in a statement on Saturday, TigerSwan implicated TalentPen, a third-party vendor apparently used by the firm to process new job applicants.
"At no time was there ever a data breach of any TigerSwan server," the firm said. "All resume files in TigerSwan's possession are secure. We take seriously the failure of TalentPen to ensure the security of this information and regret any inconvenience or exposure our former recruiting vendor may have caused these applicants. TigerSwan is currently exploring all recourse and options available to us and those who submitted a resume."
TalentPen could not be immediately reached for comment and Gizmodo could not independently confirm the company's involvement. During conversations with Gizmodo, TigerSwan repeatedly refused to provide any documentation showing TalentPen was at fault.
Found on an insecure Amazon S3 bucket without the protection of a password, the cache of roughly 9,400 documents reveal extraordinary details about thousands of individuals who were formerly and may be currently employed by the US Department of Defense and within the US intelligence community.
Other documents reveal sensitive and personal details about Iraqi and Afghan nationals who have cooperated and worked alongside US military forces in their home countries, according to the security firm who discovered and reviewed the documents. Between 15 and 20 applicants reportedly meet this criteria.
The files, unearthed this summer by a security analyst at the California-based cybersecurity firm UpGuard, were discovered in a folder labeled "resumes" containing the curriculum vitae of thousands of US citizens holding Top Secret security clearances—a prerequisite for their jobs at the Central Intelligence Agency, the National Security Agency, and the US Secret Service, among other government agencies.
Many of the files are timestamped and indicate that they were uploaded to the server in mid-February. Gizmodo has yet to confirm for how long the data was left publicly accessible, information only accessible to Amazon and the server's owner.