Recruitment agency data breach exposes 17,000 yachting industry professionals

A data breach at UK-based Crew and Concierge Limited has exposed the personal data of 17,379 people of 50 different nationalities working in the yachting industry.

Crew and Concierge is an international recruitment agency specialising in securing staff for ultra-high-net-worth clients’ yachts operating around the world.

The server, which was discovered during a Verdict investigation, consisted of over 90,000 files, all of which appeared to relate to individuals on Crew and Concierge’s books. It was left exposed on a misconfigured unsecured Amazon Web Services (AWS) S3 bucket and appears to have been online and available for anyone to access without a password since February 2019.

Crew and Concierge, which is registered as a data controller with the UK’s Information Commissioner’s Office (ICO), secured the bucket within hours of being notified of the data breach. Crew and Concierge said it has not seen any evidence that its files have been maliciously accessed.

For all individuals, the data exposed included a CV or resume. In most cases, this contained the individual’s full name, phone number, email, nationality, visas held, date of birth, work history and professional qualifications.

There were also 1,295 scanned copies of passports, around 1,000 of which are still in date, at least 500 scans of visas and over 1,000 seafarer medical certificates, known as ENG1 forms.
In a statement to Verdict, the full version of which can be viewed here, Sara Duncan, director of Crew and Concierge, said that the company had taken a number steps to resolve the breach, including hiring a cybersecurity expert. She said:


“From the moment we learnt of the breach my team and I have worked tirelessly to identify the sources of disclosure, detect the areas of weakness, close the vulnerability, recover control of the data, identify precisely what data was compromised, and minimise the potential risk and harm to the affected individuals.

“We have been advised by the cybersecurity consultant that exploitation of S3 buckets is by no means a straightforward activity and that it appears likely that the individual or individuals responsible have developed advanced tools designed specifically to identify AWS customers and whether or not they have misconfigured instance that may leave it open to malicious attack.

“In our case, the confidence was placed in the team of developers we had hired, trusting that they would do a competent job and implement appropriate and proportionate technical and organisational measures to ensure the protection of the large volumes of information, including personal and sensitive personal information relating to our registered crew.

“We have since established that the breached AWS S3 bucket that we outsourced contained personal data stolen by a malicious actor/s based on a misconfiguration by a third party and published into the public domain.

“This impacts Crew and Concierge, and its valued clients and staff, for which we take full responsibility as the data controller. In the very short period, we have come to understand the true impact of a cyberattack, and we have learnt many valuable but hard lessons.
“I would like to confirm that to date we have no confirmation from the journalist or the site that exposed our data that these files have been accessed.”

A spokesperson for the Information Commissioner’s Office (ICO), which handles reports of data breaches in the UK that fall under GDPR, told Verdict: “Crew and Concierge Limited has reported an incident to us and we will assess the information provided.”

Data exposed in the Crew and Concierge breach
While a large portion of those affected are from the UK, South Africa and Australia, there are over 50 nationalities represented in the data breach. As the agency finds individuals for a wide range of different roles within the yachting industry, there were also a large range of different supporting files, many of which contain personal data.

For a significant minority of the individuals affected, there were over ten different documents, including letters of reference from previous employers, as well as specialist qualifications and other supporting documents.

One of the most serious examples was the presence of 1,419 medical certificates, which included details such as vision and hearing health alongside full name, date of birth, passport number, as well as a small number of drug test results.

There were also thousands of professional certificates, including personal survival, first aid and fire prevention qualifications, as well as over 500 licenses, which were a mix of maritime and drivers’ licences.

In a small number of cases, there were also military service records, with eight different navies represented.

As Crew and Concierge places chefs, there were also at least 1,900 sample menus.

How the data breach could impact yachting industry professionals
If the bucket has been accessed by cybercriminals, the data exposed puts those affected at risk of a host of crimes – according to cybersecurity experts.

“Cybercriminals can do a lot of damage with a large list of breached data simply containing names and emails but add personal and highly sensitive data to the mix and the risk exponentially increases,” said Jake Moore, cybersecurity specialist at ESET.

“Passport and driver’s license details could mean people get targeted with identity fraud, but adding medical information into the criminal treasure trove can increase the risk of extortion. Typically, if data like this gets into the wrong hands via the dark web, it is a race against time to make those victims aware of the breach.”

Could Crew and Concierge be fined under GDPR?
It is possible that Crew and Concierge will be liable to be fined under GDPR, which came into force on 25 May 2018.

Under GDPR, the ICO can levy a fine of up to €20m or 4% of global annual revenue, whichever is higher.

According to Robert Wassall, director of legal services at Norm Cyber, the fact that some of the data included medical records is a particular concern, as these are classified as a ‘special category’ of data that is considered more sensitive than other personal data.

“[The] ICO is always especially concerned if a breach involves ‘special category’ data,” he said, giving the example of a fine levied against London-based pharmacy Doorstep Dispensaree in December for leaving physical medical files out where they could be viewed by unauthorised parties.

He also said that the presence of military records “means that some individuals were particularly at risk”.

Lessons from the data breach
For those that have been impacted by the breach, the advice is to use caution.

“Luckily there isn’t any evidence that this data has got into the wrong hands but to be on the safe side, anyone who has had their data left open should be alerted to the heightened risk and be informed of using caution when further personal details are requested by unsolicited means,” said Moore.

There are also vital lessons for companies handling this type of data.

Misconfigured cloud servers are a common source of breaches, despite the fact that many services, including those provided by AWS, are secure by default.

It is essential that companies using such products ensure they have the correct security settings in place, particularly recruiters and others handling sensitive personal data.

“All recruitment agencies have a duty to take security more seriously, carefully consider what sensitive information they really need to store in their database, and ensure that safeguards are in place so only authorised personnel can access them,” said cybersecurity expert Graham Cluley.

This is the second data breach to impact the yachting industry this year. Less than a week ago, the Royal Yachting Association informed its members that an unauthorised party may have accessed its membership database