Security Market Segment LS
Saturday, 12 November 2016 08:26

Michael Page recruitment data leak lists millions of jobseeker details

By

Global recruitment firm Michael Page leaked 30Gb of job seeker private contact, employment and salary information, in a repeat of the very same circumstances that saw blood donor data leaked a fortnight ago.

It is almost incredible to think a web developer would enable directory browsing on a public-facing website and store their database backups in that very same folder.

Yet, that is what the Australian Red Cross Blood Donor service web developers did, resulting in about 550,000 donor's confidential information being exposed last month.

It is even more incredible to think this would happen and then happen again. Yet, this is exactly what has transpired in the case of global recruitment firm Michael Page.

Not only did Michael Page's web developers repeat the same mistake - enabling directory browsing on a public-facing website and saving database backups to it - but they continued to do so after the news of the Australian Red Cross Blood Donor data leak emerged.

This author can only shake his head in dismay and suggest the same lack of personal diligence and commitment to quality solutions by the individuals responsible also leads them to not pay attention to news about their field.

In essentially a play-by-play repeat of the last month's breach, a security investigator trawling the web for web servers with directory browsing enabled came across Michael Page's site. Just as before, this site included database backups.

In this case, the backups held over 30Gb of raw data from global job seekers, representing millions of unique individuals, and included their name, email address, telephone number, location, employment field, current job, and cover letters.

The individual who uncovered this made it known through Troy Hunt who identified consulting firm Capgemini as the responsible party.

Michael Page has sent emails to affected clients, and the individual who made this vulnerability known has deleted his own copy of the data.

Of course, as with the Australian Red Cross, there is no telling how many people had previously discovered this data and downloaded it previously.

It would be a reasonable prediction we are going to see this very same story again in the near future.

We have this one individual who has now single-handedly identified the same flaw with two websites and is most certainly continuing his probing, and we can suggest others will be using the same technique.

To be explicit, this data has not been exposed by exploiting any security vulnerability in a server or software, or via any social engineering or trickery. The simple fact is irresponsible web developers and systems administrators exposed data by a lack of diligence and vigilance. They enabled directory browsing on a public facing website and worse, they saved database backups to this very same public-facing directory browsing-enabled website.

In the case of Michael Page's data leak, Capgemini continued this practice despite reports of the Australian Red Cross data breach and how it occurred.


Subscribe to ITWIRE UPDATE Newsletter here

GRAND OPENING OF THE ITWIRE SHOP

The much awaited iTWire Shop is now open to our readers.

Visit the iTWire Shop, a leading destination for stylish accessories, gear & gadgets, lifestyle products and everyday portable office essentials, drones, zoom lenses for smartphones, software and online training.

PLUS Big Brands include: Apple, Lenovo, LG, Samsung, Sennheiser and many more.

Products available for any country.

We hope you enjoy and find value in the much anticipated iTWire Shop.

ENTER THE SHOP NOW!

INTRODUCING ITWIRE TV

iTWire TV offers a unique value to the Tech Sector by providing a range of video interviews, news, views and reviews, and also provides the opportunity for vendors to promote your company and your marketing messages.

We work with you to develop the message and conduct the interview or product review in a safe and collaborative way. Unlike other Tech YouTube channels, we create a story around your message and post that on the homepage of ITWire, linking to your message.

In addition, your interview post message can be displayed in up to 7 different post displays on our the iTWire.com site to drive traffic and readers to your video content and downloads. This can be a significant Lead Generation opportunity for your business.

We also provide 3 videos in one recording/sitting if you require so that you have a series of videos to promote to your customers. Your sales team can add your emails to sales collateral and to the footer of their sales and marketing emails.

See the latest in Tech News, Views, Interviews, Reviews, Product Promos and Events. Plus funny videos from our readers and customers.

SEE WHAT'S ON ITWIRE TV NOW!

BACK TO HOME PAGE
David M Williams

David has been computing since 1984 where he instantly gravitated to the family Commodore 64. He completed a Bachelor of Computer Science degree from 1990 to 1992, commencing full-time employment as a systems analyst at the end of that year. David subsequently worked as a UNIX Systems Manager, Asia-Pacific technical specialist for an international software company, Business Analyst, IT Manager, and other roles. David has been the Chief Information Officer for national public companies since 2007, delivering IT knowledge and business acumen, seeking to transform the industries within which he works. David is also involved in the user group community, the Australian Computer Society technical advisory boards, and education.

Share News tips for the iTWire Journalists? Your tip will be anonymous

WEBINARS ONLINE & ON-DEMAND

GUEST ARTICLES

VENDOR NEWS

Guest Opinion

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News

Comments