Millions of Recruitment Records Exposed in Data Breach
Incredibly, only days following the unintentional data breach by the Australian Red Cross Blood Service, another disturbing accidental breach has been discovered when more than 30 GB worth of personal and sensitive data belonging to global UK-based recruitment firm Michael Page was placed on a non-secure, public facing server.
Michael Page has a large presence in Australia. The company claimed that the attack was perpetrated on 31 October and uncovered the next day.
The breached database – located in Australia – reportedly contained nearly 8 million user records, exposing over 713,000 individual job seekers; many are thought to be from Australia.
Compromised records include cover letters, resumes’, current applications from LinkedIn, along with personal information associated with these types of confidential documents, such as email addresses, phone numbers and residential addresses. Usernames and passwords were not compromised as they were reportedly encrypted.
Global consulting, technology, and outsourcing services firm, Capgemini, has been named as the source behind the accidental release.
The breach occurred when data backups were inadvertently placed on a development server – possibly when the company was security testing Michael Page’s ICT systems – and accessed by anonymous individuals thought to be behind the discovery of the non-secure Red Cross data.
Operator of the haveibeenpwned.com website Troy Hunt, was contacted on October 30 and sent him a sample of the newly compromised data. In an interview with IT News, Hunt said that just like the Red Cross breach, no particular skill was required to discover the database backup files.
“It’s really simple, someone just left the data on the server, and it was easily found. It’s not just one mistake, but several, including backing up production data to a development server, connecting that to the internet and enabling directory browsing.
Was it one person who did this, or did it take a concerted effort by several people to make the basic errors that lead to the leak?”
Page Group has sent messages to affected clients saying that “We are sorry to tell you that the details you provided as part of your recent website activity have been identified as amongst those accessed. We know people care deeply about their data being protected so wanted you to hear this from us.
We requested that the third-party destroys all copies of the data and they have confirmed that they have already done so.”
The perpetrators are thought to have complied and destroyed all compromised information and records.
The entire incident bears an almost identical resemblance to the Red Cross breach – both in terms of simple access and careless practices – and once again shows that such incidents are not confined to hackers forcing their way in to targeted systems. Many information security breaches in Australia are attributed to unintentional, inadvertent actions.
Australian organisations, businesses and those companies entrusted with client data need to be doing a lot better than this.
The amount of insecure data that was discovered is staggering to say the least. Thankfully it didn’t fall in to the hands of malicious actors; the downstream effects could have been devastating!
Talk to us about your IT security concerns today.
Original article provided by Integersec.com.au and republished with permission.