That was my question when I read: Insecure: How A Private Military Contractor’s Hiring Files Leaked by Dan O’Sullivan.
The UpGuard Cyber Risk Team can now disclose that a publicly accessible cloud-based data repository of resumes and applications for employment submitted for positions with TigerSwan, a North Carolina-based private security firm, were exposed to the public internet, revealing the sensitive personal details of thousands of job applicants, including hundreds claiming “Top Secret” US government security clearances. TigerSwan has recently told UpGuard that the resumes were left unsecured by a recruiting vendor that TigerSwan terminated in February 2017. If that vendor was responsible for storing the resumes on an unsecured cloud repository, the incident again underscores the importance of qualifying the security practices of vendors who are handling sensitive information.
The exposed documents belong almost exclusively to US military veterans, providing a high level of detail about their past duties, including elite or sensitive defense and intelligence roles. They include information typically found on resumes, such as applicants’ home addresses, phone numbers, work history, and email addresses. Many, however, also list more sensitive information, such as security clearances, driver’s license numbers, passport numbers and at least partial Social Security numbers. Most troubling is the presence of resumes from Iraqi and Afghan nationals who cooperated with US forces, contractors, and government agencies in their home countries, and who may be endangered by the disclosure of their personal details.
While the process errors and vendor practices that result in such cloud exposures are all too common in the digital landscape of 2017, the month-long period during which the files remained unsecured after UpGuard’s Cyber Risk Team notified TigerSwan is troubling.
…
Amazing story isn’t it? Even more amazing is that UpGuard sat on the data for a month, waiting for TigerSwan to secure it. Not to mention UpGuard not publicly posting the data upon discovery.
In case you don’t recognize “TigerSwan,” let me refresh your memory:
UpGuard finds 9,402 resumes, applicants seeking employment with TigerSwan/Blackwater type employers.
Did they expose these resumes to the public?
Did they expose these resumes to the press?
Did they expose these resumes to prosecutors?
None of the above.
UpGuard spends a month trying to keep the data hidden from the public, the press and potential prosecutors!
Unpaid charity work so far as I know.
Thousands of mercenaries benefit from this charity work by UpGuard. Their kind can continue to violate the rights of protesters, murder civilians, etc., all the while being watched over by UpGuard. For free.
Would you shield torturers and murderers from their past or future victims?
Don’t be UpGuard, choose no.