Did you submit your resume to TigerSwan, a private security company in North Carolina supporting the National Industrial Security Program (NISP) community any time before 2008-2017?
Sadly, your week is about to go south. There is a high possibility that your sensitive information may have been available for the world to peruse. And that simply sucks.
Security researcher, Chris Vickery, recently revealed thousands of TigerSwan resumes were located in the Amazon Web Services S3 (AWS S3) data stores. A third-party placed the resumes in the environment left them wide open, without encryption, for public access.
We have said, often, that when your vendor fails, so do you. And this episode is no different. TigerSwan released a statement that they used a recruiting vendor, TalentPen. TigerSwan then promptly threw them right under the bus sighting their former vendor’s “negligence.” We won’t argue this point, what occurred was negligent.
Perhaps more egregious, according to Vickery, he advised TigerSwan of the issue and thirty-days later, the issue remained. Who does that? A quick search on the net would have revealed Vickery is a highly respected security researcher. Perhaps search isn’t TigerSwan’s strong suit.
Every CI officer knows, you listen to the whole story from anyone who says you’ve been penetrated or your information is exposed. Then, after you have what they wish to share, you analyze whether the information is credible. The fact that Vickery was able to produce the raw documents would have quickly established that TigerSwan’s pool of applicant resumes was blowing in the breeze.
While BlackSwan’s statement clearly indicates security is important, one must ask, is OPSEC a priority? The most basic tenant of OPSEC is “need to know” and their failure to ensure their vendor TalentPen adhered to this creed, evidences a degree of naivete about the world of NISP.
TigerSwan terminated its relationship with TalentPen in February 2017 and TalentPen transferred the resumes in their possession to TigerSwan using the AWS S3 environment. Following the transfer, TalentPen should have destroyed the files. Oooops. The destruction of the data didn’t happen and there was, apparently, no audit in place to verify discovery. Again, basic OPSEC.
Bottom Line of the breach
If you filed your resume with TigerSwan between 2008-2017, your information may have been included in the data trove processed by TalentPen. As of August 31, 2017, those files were secured.
What was exposed?
Here’s how Vickery described his find:
The exposed documents belong almost exclusively to US military veterans, providing a high level of detail about their past duties, including elite or sensitive defense and intelligence roles. They include information typically found on resumes, such as applicants’ home addresses, phone numbers, work history, and email addresses. Many, however, also list more sensitive information, such as security clearances, driver’s license numbers, passport numbers and at least partial Social Security numbers.
What you can do?
If you are a potential victim in this latest episode, here is what TigerSwan wants you to do (culled from their statement):
As a part of the rectification effort, if you voluntarily filled out a resume form on our website between 2008 and 2017, please call the following hotline number to see if your resume included any personally identifiable information: 919-274-9717.
If you are a recruiter and are housing applicant files in the AWS S3, environment, take heed of Amazon’s step by step direction on limiting access to the trove of data. While the TigerSwan incident was fully avoidable, they are in good company … Dow Jones (two million exposed), Verizon (14 million exposed) and Republican National Committee vendor DeepRoot (200 million U.S. voters). The commonality – every one of them had their access control settings on their data stores in the AWS S3 environment configured to allow anyone access.
With so many incidents hitting the press, Amazon has been proactive and has advised all AWS S3 users if their access control settings allow public or AWS community (might as well be public) access. Those who ignore these advisories from Amazon do so at their own peril.
Know this! Security researchers and others (read nefarious individuals including nation states) are scanning cloud storage environments (including AWS S3) for entities storing information in a non-secure manner. The nefarious will monetize the information, the researcher will inform you and then write about your lack of security. Either way, your entity will be negatively affected.
Please, do not collect what you cannot protect.
