Once again we learn of data being collected but left unprotected. The guilty this time around are the job recruiting sites “Authentic Jobs” and “Sonic Jobs.” Security researcher Gareth Llewelyn discovered the misconfigured Amazon Web Services (AWS) data storage buckets controlled by these firms.
Had they been the first entities to use AWS and leave the door open for data examination, one might be sympathetic. But that isn’t the case.
In September 2017, Tiger Swan, a company supporting the National Industrial Security Program community, saw their corpus of resumes – also stored with the AWS environment – availed to public scrutiny. Tiger Swan threw their recruiting vendor, TalentPen, under the bus for the misconfiguration of the AWS environment.
What was exposed?
Authentic Jobs had 221,130 resumes exposed, and list among their clients Ernst & Young and The New York Times. Sonic Jobs, a UK recruiting firm, had 29,202 resumes exposed, and lists Marriott and InterContinental Hotels as among their clients.
Interestingly, used their start-up status as a justification in their published response: “With limited resources, as a small business, we are confident that we take reasonable and proportionate measures to protect the confidentiality, integrity, and availability of our business data and the personal data we hold.”
Authentic Jobs pulled out the rubber stamp of “security” with its comment, “We take security and privacy very seriously and are looking into how this happened.”
Both responses are clearly indicative of entities which put security and privacy as secondary considerations within their data structure. Sonic Jobs claiming that the size of their firm is mitigating is simply hogwash, as Amazon goes to great lengths to highlight to users of their AWS buckets when their settings for stored data are available for anyone with the URL to access.
Highlighting the threat to the cleared population
Field Security Officers should be highlighting this data exposure to their information technology teams. While the above examples are within the world of personnel recruiting, AWS data storage is agnostic when it comes to the content of the data and the type of companies which use their environment.
Recent exposures include 73Gb of information, accounts and accompanying passwords for their employees, a company who stored their own system credentials on AWS and a Super-Pac which exposed 527,000 contributor’s data.
The bottom line remains: If you collect the data, protect the data.
