Chris Vickery, director of cyber risk research at the California-based security firm UpGuard, discovered the cache of around 9,400 job application files on an unsecure Amazon Web Services S3 storage server that required no password to access..
The exposed personal information includes social security numbers, driver's license and passport numbers, home addresses and many other contact details.
Having briefly reviewed the files, UpGuard found that hundreds of resumes included those with Top Secret US security clearance — a prerequisite for a job at the Central Intelligence Agency, the National Security Agency, or the US Secret Service, among other government agencies.
Some of the documents also revealed sensitive and personal details about Iraqi and Afghan nationals who cooperated with US forces in their home countries and are now seen to have been put at risk in the leak.
According to the TigerSwan statement, TalentPen set up the supposedly secure server to transfer resume files to a TigerSwan server following the termination of TalentPen's contract in February of this year.
"[We] learned that our former recruiting vendor TalentPen used a bucket site on Amazon Web Services for the transfer of resumes to our secure server but never deleted them after our login credentials expired," the TigerSwan statement said.
"Since we did not control or have access to this site, we were not aware that these documents were still on the web, much less, were publicly facing."
Some of the applicants in the database were apparently involved in very sensitive and highly-classified military operations. At least one applicant claimed that he was charged with the transportation of nuclear activation codes and weapons components.
UpGuard noted that they found it "troubling" that the files remained accessible for a month after their Cyber Risk Team notified TigerSwan about the exposure.
Due to the number of resumes involved, the true impact of the breach has yet to be fully realized.
