The resumes of more than 9,000 former U.S. military personnel, many with top secret security clearance, were left exposed on an unsecured Amazon S3 server.

Security contractor TigerSwan has pinned the lapse on recruiting firm TalentPen that it used to process job applicants. The Amazon S3 was used to transfer documents from TalentPen to TigerSwan.

“We take information security very seriously, especially in this instance, because a majority of the resume files were from veterans,” TigerSwan CEO Jim Reese said in a statement. “As a Service-Disabled, Veteran-Owned Small Business, we find the potential exposure of their resumes inexcusable. To our colleagues and fellow veterans, we apologize. The situation is rectified and we have initiated steps to inform the individuals affected by this breach.”

The incident is the latest in a series of exposures on AWS S3 servers. "In the last few months, we've seen a string of high profile data incidents of this nature, including Deep Root Analytics, Verizon Wireless and Dow Jones,” said Bitglass CEO Rich Campagna. “These exposures are difficult to stop because they originate from human error, not malice. Just one wrong tick box in the cloud set-up process can put vast amounts of sensitive customer data at risk.”

Stressing that TigerSwan's server had not been breached and that “all resume files in TigerSwan's possession are secure,” the company said Amazon had notified TalentPen of the exposed information in August and that the firm removed the resume files on August 24. “TalentPen never notified us of their negligence with the resume files nor that they only recently removed the files,” TigerSwan said. “It was only when we reached out to them with the information on August 31st did they acknowledge their actions.”

The company is exploring “all recourse and options available to us and those who submitted a resume” and encouraged anyone who had “voluntarily filled out a resume form on [its] website between 2008 and 2017” to call a hotline number, 919-274-9717, to determine whether the resume contained personally identifiable information (PII).

