Last week I wrote about an incident with a vendor to the City of Chicago who left close to two million voter records exposed on Amazon and how the vendor, in spite of the initial mistake of exposing the data, handled the breach very well (see blog post).
Today we have another case and, this time, an example of how not to handle it.
Today’s case also came from researcher Chris Vickery and the data in question was an Amazon storage bucket with resumes for what the news is calling “mercenaries”. In fact, the company is Tigerswan, a private security firm.
Like many private security firms that cater to the military or paramilitary world, many of the employees and applicants are ex-military and hold or have held high level security clearances.
On July 20th, Vickery discovered an Amazon S3 bucket named TigerswanResumes with almost 10,000 resumes of veterans and others who were interested in working for Tigerswan. As is typical for resumes, they included a lot of personal details including former activities in the military and clearance information. This data was totally exposed to anyone who happened on it – including, potentially, agents of foreign powers who might want to blackmail (or worse) these people.
On July 21st Chris emailed Tigerswan about the situation. He followed up on the 22nd with a phone call and email and was told they were working with Amazon to secure the data.
On August 10th, with the data still exposed, Chris reached out to Tigerswan again and was told that they were unsure as to why the data was exposed and would bring it to the IT director’s attention.
Finally, on August 24th, a month after being notified, Tigerswan the data was secured.
THE ONLY REASON THAT THE DATA WAS SECURED ON AUGUST 24TH WAS BECAUSE CHRIS WAS ABLE TO GET AMAZON TO INTERVENE.
Tigerswan blamed the situation on a former recruiting vendor – in order words, the data was effectively abandoned and unprotected. No one “Owned” that data.
Chris’s blog post provides a lot of examples of the backgrounds of people who’s information was exposed and, it would seem, this information would be attractive to intelligence agents. Included in the resumes were police officers, sheriff deputies, people who worked at Guantanamo and many others.
Also on some of the resumes were references with contact information including one former director of the CIA clandestine services. You kind of get the idea.
The fact that this took a month to secure the data is an indication of a lack of an effective incident response program and also a lack of a program to manage the location and ownership of data inside the company. The fact that Amazon finally had to intervene makes the situation even worse. Unfortunately, neither of these is unusual.
While it does take some work to build and maintain the data maps to document data storage locations – which should include data managed by vendors and ex-vendors on behalf of the company – compared to taking a month to fix a problem like this, the cost is low. Very low. For the veterans who were affected, the cost, assuming this data is now in the hands of our adversaries (and I can only assume that if Chris could find it, so could the Russians or the Chinese), is high and those veterans and others will have to deal with it. That could, realistically, be sufficient grounds for a class action lawsuit against tigerswan.