Millions of job seekers’ info exposed via easily accessible database backups
A data leak has exposed sensitive information about millions of job seekers that used global recruitment firm Michael Page.
The leak has once again been revealed to the leaking company through Troy Hunt, the creator and administrator of the Have I Been Pwned (HIBP) online service.
“It was the same individual who located the Red Cross data and the same story in terms of discovery an underlying risk on the server end; publicly exposed website, directory listing enabled, .sql files exposed,” Hunt explained.
The person in question provided Hunt with a backup file containing information on UK job seekers, which allowed him to estimate that all the backups that were accessible contained well over 30GB of raw data. The UK backup contained data on 780,000 people.
“The file I received included table names indicating that as with the Red Cross, this was the output of mysqldump and in this case it contained table names pointing to Acquia, a hosted Drupal platform,” Hunt pointed out.
Hunt was made aware of the leak on October 30 and forwarded the information to Capgemini, a multinational consulting and outsourcing firm that is Michael Page’s IT provider.
After a week or so of investigation, Michael Page began sending out emails to potentially affected parties.
“We regret to inform you that on 1 November 2016, we were made aware that an unauthorised third party illegally gained online access to a development server used by our IT provider, Capgemini for testing PageGroup websites. We are sorry to tell you that the details you provided as part of your recent website activity have been identified as amongst those accessed,” the company said.
“We immediately locked down our servers and secured all possible entry points to them. We carried out a detailed investigation into the nature of what happened. To reassure you, we know that the data was not taken with any malicious intent. We have requested that the third-party destroys or returns all copies of the data. They have confirmed that they have already destroyed it and we are confident that they have done so.”
The accessed data included the parties’ name, email address, (encrypted) password, telephone number, location, information about their current job and the covering message (if they uploaded one).
“The data exposed is usually openly available from other sources on the internet and therefore we believe there is little risk of it being used for fraudulent activities but you should always be vigilant for scams such as phishing,” the company noted on a FAQ section they set up to provide information about the leak.
They did not mention for how long the data was accessible from the Internet, or the possibility that other individuals, with potentially malicious intent, have found it and slurped it.
Publishing databases to publicly facing websites is, unfortunately, a “shockingly common” state of affairs, Hunt notes.
“As much as we’re working through really creative new defences against attacks, we’re also still alarmingly bad at the basics,” he concluded, and advised companies to take advantage of bug bounties to fix low-hanging vulnerabilities like this one (and others).