Sign in / up

back to article Leaky S3 bucket sloshes deets of thousands with US security clearance

Thousands of files containing the personal information of US citizens with classified security clearance have been exposed by an unsecured Amazon server. The sensitive information of an estimated 9,400 job seekers, mostly military veterans, was stored on an Amazon Web Services S3 storage server that required no password to …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. Pascal Monett Silver badge
    Mushroom

    Well it was called TalentPen, not IntelligencePen

    Okay, I get it : your minions make a mistake and, if you're shortsighted, you have two options : alert whomever should be alerted and clean up, risking the loss of the contract or worse, or cover up the situation and make like a hole in the water hoping nobody will notice and everything will go fine.

    Except an unsecured server is not a "mistake" these days, it is literally dereliction of duty. Somebody noticed, and the consequence is that TalentPen is "dissolved". With a swift kick, I should hope.

    In any case, I'll wager the managers of that particular company are not going to get anywhere near contracts with veterans any more. They must be blacklisted and their names nailed to the wall.

    4 1 Reply
  2. frank ly

    An Inspiration

    I've changed my Amazon account password from CorrectHorseBatteryStaple to TigerSwanTalentPen.

    8 0 Reply
  3. Oh Homer
    Coffee/keyboard

    Here comes the LinkedIn spamocalypse

    9,400 LinkedIn invitations later...

    6 0 Reply
  4. Dr Who

    Thumb up for Thomas Fischer of Digital Guardian. Tiger Swan cannot blame Talent Pen. If Tiger Swan is using a third party then they need to establish clear security policies and audit the third party to ensure compliance.

    9 1 Reply
    1. John Brown (no body) Silver badge
      Reply Icon

      I wonder if there's any other link between Tiger Swan and TalenPen? Like board members, investors etc.

      3 0 Reply
    2. Ian Michael Gumby
      Reply Icon
      Boffin

      @Dr. Who

      Sorry have to down vote you.

      The first question you have to ask... "Did Talent Pen know what information was in the data?"

      The answer is yes, they had to know since they are a 'third party recruitment firm' .

      The information contained PII (information) and thus they had an implicit obligation to lock that information down.

      This isn't to say that they should have clear policies in place, but that their contracts should also have explicit wording on the need to protect PII (information). Note: This wasn't mentioned in the article and it may already exist.

      The point is that Talent Pen is clearly at fault.

      0 0 Reply
      1. Dan 10
        Reply Icon

        Re: @Dr. Who

        True, but if I was to hire Tigerswan to review and advise on security, I'd expect any report to include something like "define and implement appropriate security controls for the sharing of data with third parties, and for ensuring the third parties demonstrate compliance". That they didn't enforce that is pretty dismal.

        0 0 Reply
  5. jake Silver badge

    Security?

    They've heard of it. Maybe. Kinda. Ish.

    Fucking numpties.

    6 0 Reply
  6. Tom Chiverton 1

    So many of these recently. Has someone got a tool that scans for open S3 buckets somehow ? Is AWS leaking a global list of S3 bucket names somewhere ?

    0 0 Reply
    1. Adam 52 Silver badge
      Reply Icon

      It's easy, just try googling for "site:s3-website-us-east-1.amazonaws.com" and start digging.

      0 0 Reply
  7. MachDiamond Silver badge
    Facepalm

    Manage your own data

    Anything stored in "the cloud" is potentially public. A company recruiting employees for government classified work should know better than to outsource their data storage. Hard drives practically grow on trees these days and job applications/resumes take up hardly any space.

    The agency should be banned from all future government work and the execs criminally charged.

    2 1 Reply
  8. sizbut

    "TalentPen", "TigerSwan", "BitGlass", AlienVault" - and all probably delivered by some branding consultants at $X00,000 a pop. We all really are in the wrong business.

    0 0 Reply
    1. Alistair
      Reply Icon
      Windows

      Re-Branding exercise.

      TigerPown?

      0 0 Reply
  9. vir

    Just Another Example

    As they say: you can delegate authority, but never responsibility.

    0 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like