Recruitment Company Accused of Security Failing
Around 5.7 million files including resumes were unintentionally exposed by a recruitment company according to security researchers. The breach could put jobseekers at risk for a range of scams.
Cybernews says it spotted the files accessible and unprotected online. They came from HireClick, a recruitment company that describes itself as "The Most Affordable and Effective Hiring System on the Planet."
The files included resumes with full contact details for jobseekers along with details of their current and past employment. Although details such as full names, addresses, phone numbers and email addresses aren't the most sensitive data that could be leaked, Cybernews notes it brings both general and specific risk.
Identify Theft Threat
The general risk is "standard" identify theft where such details create some risk of scammers using the details for actions such as applying for credit in somebody else's name or attempting to redirect or intercept their mail. While the risk may be low, most jobseekers likely prefer not to have these details publicly available.
The more specific risk comes from scammers having these details and knowing people are looking for a job. That could allow for targeted scams such as inviting people to apply for jobs or join a supposed recruitment company, or even making a bogus job offer.
The scammers could then try to get more details from the jobseeker such as social security numbers, financial account details or identity documents such a driver licenses. That could allow for more substantial identity theft and fraud.
Virtual Door Left Unlocked
Based on Cybernews' reports, HireClick was not actually "hacked." Instead, the documents were unintentionally made available through the "misconfiguration of [an] Amazon AWS S3 storage bucket." (Source: cybernews.com)
AWS is a hugely popular online storage and processing service that works a little like a self-storage locker for data. Both its physical setup and pricing structure mean it's particularly popular among companies who may have frequent changes or rapid expansions in the amount of data they need to store, which would be expensive and inefficient to do by buying or leasing equipment in the company's own facilities or a specific data center.
A "bucket" is simply Amazon's name for a collection of files or data that's treated as one unit for organization and security purposes. Users have control over who can access a bucket and it should be completely private by default. (Source: amazon.com)
At the time of writing, HireClick had not commented publicly on the reports.
What's Your Opinion?
Does this sound like a significant security issue or is the risk overhyped? Would you be comfortable with your resume being publicly available with no details redacted? Are laws protecting the way companies secure personal data tough enough?
My name is Dennis Faas and I am a senior systems administrator and IT technical analyst specializing in cyber crimes (sextortion / blackmail / tech support scams) with over 30 years experience; I also run this website! If you need technical assistance , I can help. Click here to email me now; optionally, you can review my resume here. You can also read how I can fix your computer over the Internet (also includes user reviews).
We are BBB Accredited
We are BBB accredited (A+ rating), celebrating 21 years of excellence! Click to view our rating on the BBB.
Comments
Procedures need to change
In this day and age, why do employers/agencies need so many details up front? They know there's a risk of them getting hacked!
imho what's needed is a government website for jobs where job seekers only upload their work experience. Only if someone is invited for interview should they need to know your name, and rough location. Any other details should only be asked for after a job has been offered, and I don't see why employers ever need to know my DoB??