AWS Data Leak Exposes Military Personnel Details

Data leaks are nothing new in the cloud world, certainly not a novelty on AWS, as the past few months have shown. But this latest one is all that more special, as it has exposed highly sensitive data.

That of military and intelligence personnel.

Thousands of former and current US, NATO coalition, and other service members have been inadvertently exposed, and their details left in the open for a long period of time.

Basically, the resumes, addresses, and other private information of a number of people that hold top secret security clearance were left in an unsecured database after they applied for vacancies at a security firm that goes by the name of TigerSwan.

Discovered by security firm UpGuard, an erroneously configured Amazon Web Services S3 storage bucket was at the center of it all. And not only resumes, home addresses, and contact details were out there, but employment history, passport numbers, driver’s licenses, and partial social security numbers.

The error led to no less than 9,402 documents left exposed, though the company is yet to declare how many people this could have affected.

It does say that anyone that submitted their resumes between 2008 till 2017 can contact it for further information about how much of their personal information was accessible online — but either way, this one is one of the most serious lapses in security in recent memory.

Simply because many of the people affected are active military personnel that are still deployed in active conflict zones like Afghanistan and Iraq.

Of particular concern are the details of translators, whose families may still be living close to enemy combatants.

The company has confirmed the removal of these details, saying that it had actually delegated the work of storing the resumes to TalentPen, a third-party vendor who was actually responsible for leaving this data easily accessibly on the Amazon storage bucket.

Not a particularly good reflection on TigerSwan, who claims to be an international security company.

And the scary thing is that cloud security is still not improving across the board, even after several high-profile incidents, from Dow Jones to Verizon, and hotel booking to voter records. You simply continue to hear about misconfigured S3 buckets every other week.