The right-wing group that leads a recruitment effort for Capitol Hill offices and allied nonprofits, the Conservative Partnership Institute (CPI), has for months left exposed the sensitive personal information of applicants to its online “jobs bank,” the Washington Free Beacon found, including members of the U.S. intelligence community, congressional aides, former Trump administration officials, and campaign operatives.
Led by former Heritage Foundation president Jim DeMint and one of his former aides, Ed Corrigan, as well as by former Trump chief of staff Mark Meadows, who the New York Times reported is paid $847,000 to serve as the organization’s “senior partner,” the Conservative Partnership Institute has exposed the social security numbers, home addresses, private client names, and other personal details of over 1,500 job applicants, including several who hold the highest level security clearance—known as a top secret/sensitive compartmented information (TS/SCI) clearance—in a public online storage system on an Amazon cloud. With basic web-scraping software, the records can be viewed by anyone, including America’s foreign adversaries.
The discovery comes days after news reports revealed that foreign actors are setting their sights on key aspects of the right-wing infrastructure in Washington, D.C. According to a Politico report, the Heritage Foundation was the subject of a cyberattack last week, likely from Russian or Chinese state actors, “aimed at Project 2025,” an effort to assemble resumes and lay the groundwork for the next Trump administration, if the former president wins the election in November. A Heritage official told Politico that the resume bank wasn’t breached because it is kept on a different server than the one attacked.
As recently as Tuesday, the Free Beacon was able to access and view hundreds of the resumes, including many containing sensitive national security and personal details, through the Conservative Partnership Institute’s unrestricted online storage system. A denuded resume uploaded by the Free Beacon through the CPI’s “job bank initiative” was instantly accessible online.
The Free Beacon sent a note to Corrigan on Thursday morning apprising him of the problem and of our intention to write a story on the matter, but not until we received confirmation the compromised files had been taken down. A public relations spokesman for CPI, Bobby Donachie of Athos PR, responded to the note with a phone call raising questions about whether any of the files were publicly accessible and proceeded to hang up. The files were removed shortly thereafter, and a spokesman for CPI said “we have resolved the situation.”
One resume included details about the applicant’s work collecting Russian data for a U.S. intelligence agency. Others included the detailed military and national security backgrounds of over 50 job seekers with active security clearances, and, in some cases, military records like discharge and separation papers from the military.
The Free Beacon has removed all private and personally identifying information from the Air Force’s Form DD214, a certificate of release from active duty, which was posted to the job bank, just one example of the sort of sensitive information that sat online there.
Other applicants described themselves as follows: An intelligence analyst for a U.S. government client described herself as “a highly qualified Intelligence professional with over 5 years of experience in the Intelligence Community…TS/SCI clearance with Full Scope Polygraph.” A current Pentagon official with a TS/SCI clearance said he “leads the team that translates the President’s and Secretary of Defense’s directives into policy and orders for execution in U.S Central Command.” The resumes for both included their names, addresses, and cell phone numbers.
The records also disclosed the private clients of numerous D.C. public affairs firms, including the DCI Group, FP1, Hiltzik Strategies, and CRC Advisors.
The records are stored in open Amazon S3 buckets, which are publicly accessible unless the owner takes steps to make them private.
Joseph Steinberg, a cyber risk expert and the author of Cybersecurity for Dummies, told the Free Beacon that the unprotected system was “essentially the equivalent of putting a bucket of sensitive data in the middle of Times Square.”
“Foreign actors are probably going after these things,” Steinberg said. “We don’t know the repercussions that could come down the line.”
Steinberg added that such information could be collected by foreign governments and used to identify future administration officials, possibly for “blackmail and bribery.”
CPI was founded by DeMint, a former South Carolina senator, in 2017. Its job bank originally focused on placing staffers on Capitol Hill but widened its scope in recent years. CPI’s website states that it has “provided the administrative, staffing, and legal support for more than a dozen groups,” including America First Legal, the American Accountability Foundation, the Center for Renewing America, and several others.
“Our goal is to better serve the conservative movement by putting the right people in the right positions to be the most effective. For people new to DC or looking to advance their professional development we offer a variety of training to help staff be successful,” the organization’s website states.
Job bank records accessed and viewed by the Free Beacon included the social security number of an Air Force veteran; security clearance level information for dozens of job-hunters; and the names of private clients of major public affairs firms.
The job bank documents have been accessible on the Amazon server since at least last summer, according to records reviewed by the Free Beacon. The information is viewable by anyone who has the direct URL or who has access to online web scraping software.