On Thursday, August 31st, a press inquiry alerted TigerSwan that resume files, accessed by a cyber resilience company (Upguard Inc.) on a site hosted by Amazon Web Services and controlled by a former recruiting vendor, TalentPen, LLC, were publicly accessible.
“We take information security very seriously, especially in this instance, because a majority of the resume files were from veterans. As a Service-Disabled, Veteran-Owned Small Business, we find the potential exposure of their resumes inexcusable. To our colleagues and fellow veterans, we apologize. The situation is rectified and we have initiated steps to inform the individuals affected by this breach,” said Jim Reese, TigerSwan CEO.
As a part of the rectification effort, if you voluntarily filled out a resume form on the TigerSwan website between 2008 and 2017, please call the following hotline number to see if your resume included any personally identifiable information: 919-274-9717.
While we regret this happened, TigerSwan appreciates Upguard for making us aware of TalentPen’s actions and bringing this to the attention of Amazon Web Services. It is our understanding that Amazon Web Services informed TalentPen of this issue sometime in August, resulting in TalentPen removing the resume files on August 24th.
TalentPen never notified us of their negligence with the resume files nor that they only recently removed the files. It was only when we reached out to them with the information on August 31st did they acknowledge their actions. In our conversation with Upguard, they acknowledged that this 3rd party vendor did not act correctly. We have reached out to Amazon Web Services directly to learn everything we can.
At no time was there ever a data breach of any TigerSwan server. All resume files in TigerSwan’s possession are secure. We take seriously the failure of TalentPen to ensure the security of this information and regret any inconvenience or exposure our former recruiting vendor may have caused these applicants. TigerSwan is currently exploring all recourse and options available to us and those who submitted a resume.
This is a regrettable experience and we are re-evaluating our vendor selection processes and their data management practices as a result. We hope to be able to share this experience as an important lesson learned for fellow veterans and others running their own small business.
Summary of the facts and timeline of events
In 2008, TigerSwan was selected for a services contract. We retained TalentPen to assist with voluntary resume submission and organization for those interested in working for TigerSwan.
In February of 2017, TigerSwan terminated TalentPen’s contract. To close out our account, TalentPen set up a secure site to transfer the resume files connected to the project to TigerSwan’s secure server. This transfer site was secured by a 20-character user id and a 256-bit secret access key, and it had a limited lifespan, from February 6th to February 10th.
TigerSwan downloaded the files to our secure server on February 8th. In accordance with TalentPen’s procedure, we notified them that the download was complete, initiating their process to remove the files.
On Friday, July 21st, at 6:35pm EST, our general email address received a message from an Upguard research analyst alleging a potential data breach of a cloud file repository. Knowing that none of our TigerSwan systems have ever been breached, we initiated a scan of our existing systems that found no potential breach. Also knowing that we did not have or control a cloud file repository, we found his email very suspect and a potential phishing scam.
On Saturday, July 22nd, our Global Security Operations Center received a phone call making similar claims, and it was also not considered credible. Our team advised Upguard that the situation was under control in order to stop them from contacting us because we viewed their approach lacked credibility.
The reasons TigerSwan did not view the overtures from Upguard as credible was because his claim was inaccurate, it included a URL over which we had no knowledge or control, and contained a second URL that pointed to another, unknown website. Adding to our skepticism was the fact that this incident all happened during the same general timeframe as the increase in Ransomware attacks.
On Thursday, August 31st, TigerSwan received a call from multiple reporters requesting comment about a TigerSwan data breach found by Upguard. We contacted Upguard both at the research level and the CEO level, because the claims that were being relayed to us by the reporters were inaccurate, and we wanted to better understand what Upguard was representing.
Though our conversation, we were able to confirm several things to Upguard.
First, there was no data breach of any TigerSwan server.
Second, we do not control nor have we controlled any bucket sites on Amazon Web Services.
Third, a former 3rd party vendor, not TigerSwan, controlled this site.
From this conversation with Upguard Inc, and our subsequent investigation, we learned that our former recruiting vendor, TalentPen, used a bucket site on Amazon Web Services for the transfer of resumes to our secure server but never deleted them after our log-in credentials expired. Since we did not control or have access to this site, we were not aware that these documents were still on the web, much less, were publicly facing.
We learned that Upguard contacted Amazon Web Services about this issue in August, between August 23rd and August 24th. On August 24th, Amazon Web Services informed Upguard that the files had been removed by Amazon’s client, which was TalentPen. TigerSwan was never informed of the exposure or the above activity between our former vendor and/or Amazon Web Services. We have reached out to Amazon Web Services to learn more.
TalentPen never volunteered this information about their actions to us and only admitted it when we reached out to them after talking to Upguard on August 31st, over a week after they secretly removed the resume files.
The resume files in question have now been properly secured and no additional risk of exposure exists. Again, we want to thank Upguard for bringing this situation to our attention and having the talented individuals who can identify these potentially problematic breaches. For that, we are grateful and humbled.