Resumes for hundreds of individuals who applied for work at a US-based private security firm have been exposed following a security lapse by a third-party recruiting firm.
Around 9,400 resumes were discovered on a public, unlisted Amazon Web Services storage server by Chris Vickery, director of cyber risk research at security firm UpGuard.
The server belongs to recruitment company TalentPen, which until February was contracted by the mercenary firm TigerSwan to provide services for voluntary resume submission.
The resumes reveal the personal details of prospective employees who had applied to work for TigerSwan as far back as 2008 when the private security firm was founded. Many of those who joined the company's ranks went on to provide security work in the aftermath of the Iraq War, at the Sochi Olympics, and more controversially, the reportedly unlicensed North Dakota pipeline protests.
The exposed documents list a range of personal information, including an applicant's home address, phone numbers, email addresses, driver's license and passport numbers, and social security numbers.
Hundreds of resumes claimed to have "top secret" clearances, and access to highly-classified sensitive compartmented information. In many cases, the resumes reveal details of an applicant's past duties, including sensitive defense and intelligence roles.
While the majority of applicants are US veterans, several of the resumes purportedly belong to Iraqi and Afghan nationals, who cooperated and worked with US forces and government agencies in their home countries -- who may now be endangered by the disclosure of their past work.
In a blog post published by UpGuard, among the resumes were "the contact information of a former US ambassador to Indonesia and of a former director of the CIA's clandestine service, each listed in a resume's references section."
Vickery told ZDNet in a phone call Friday prior to publication that this kind of data would be "highly sought-after" by foreign intelligence agencies.
"If you have a contractor working for the NSA and you have their resume, and know their personal Yahoo email address, they're a high value target that you can target attacks at," he said. "The intelligence campaigns that can be used for this trove of data is extreme."
Vickery added that it took UpGuard more than a month from the point of discovery to secure the server -- in part because the server did not belong to TigerSwan.
Amazon eventually intervened, shutting down the TalentPen-owned server on August 24.
In a statement published Saturday, TigerSwan confirmed the timeline, and offered more details.
According to the statement, TalentPen set up a secure site to transfer the resume files to a TigerSwan server, following the termination of the recruitment company's contract. TigerSwan said that it "learned that our former recruiting vendor TalentPen used a bucket site on Amazon Web Services for the transfer of resumes to our secure server but never deleted them after our login credentials expired."
"Since we did not control or have access to this site, we were not aware that these documents were still on the web, much less, were publicly facing," the statement read.
"We take seriously the failure of TalentPen to ensure the security of this information and regret any inconvenience or exposure our former recruiting vendor may have caused these applicants," said TigerSwan.
James Reese, chief executive of TigerSwan, said the company has "initiated steps" to notify the individuals affected by the breach.
Susan Govea, who owns TalentPen, did not respond to a request for comment Saturday.