A UK recruitment firm exposed sensitive applicants data for months
A UK recruitment firm exposed sensitive applicants data for months
MAY 20TH, 2021 HABIBA RASHID LEAKS, SECURITY 0 COMMENTS
Habiba Rashidby Habiba Rashid
on May 20th, 2021
Tags
AWS, Data, database, LEAKS, security
ExpressVPN provider
IPVanish
9.6/10
Super secure VPN
Minimal data logging
Favorable privacy policy
Visit IPVanish ‣
Share on FacebookShare on Twitter
The company was informed about the exposed data in December 2020 but it only responded and secured the data in March 2021.
FastTrack Reflex Recruitment firm recently joined the ranks of other companies that have been affected by data leaks due to misconfigured AWS S3 buckets. This data breach majorly affected the applicants whose CVs containing personal information were leaked, reports the research team at Website Planet.
SEE: UK Recruitment Portal Suffers Massive Data Breach
Attached to numerous CVs were the personal IDs of applicants, including passports, citizen ID cards, driver’s licenses, and skilled worker IDs. All of these constitute direct and indirect applicant PII. Examples of directly identifiable PII include the following:
Full names
Email addresses
Home addresses
Dates of birth
Passport numbers
Applicant photos
Mobile phone numbers
Social network URLs for some applicants.
It is worth noting that the configuration of the server is not the responsibility of Amazon but rather the company, FastTrack, that is using it as a public cloud storage resource.
A UK recruitment firm exposed sensitive applicant data for months
Example of leaked data (Image: Website Planet)
The bucket, according to Website Planet’s blog post, included 21,000 client files (including duplicates), equating to 5GB of data, which were left unprotected for any hacker or cyber criminal with a malicious intent to take advantage of.
Moreover, tens of thousands of people could be affected by this. As a result of this exposure, FastTrack could receive legislative action from GDPR and the UK’s Data Protection Act 2018.
The clients could be affected through various criminal acts if cybercriminals found this unprotected database. These include identity theft, fraud, scams, phishing, malware, theft, and account takeover.
The company, on the other hand, will be affected due to their failure to adhere to data privacy laws such as GDPR which could fine it around €20 million, or 4% of the company in question’s annual turnover (whichever is higher).
Additionally, they could possibly face a loss of business due to their existing customers losing trust in their firm and their potential new applicants being driven away.
SEE: Fake LinkedIn job offers scam spreads More_eggs malware
The data breach was first discovered on 29th December 2020 by the Website Planet research team and the company was contacted on 15th and 17th January 2021 but they only replied on 17th March, after several attempts of contacting them, and the bucket was secured on 23rd March 2021.
MAY 20TH, 2021 HABIBA RASHID LEAKS, SECURITY 0 COMMENTS
Habiba Rashidby Habiba Rashid
on May 20th, 2021
Tags
AWS, Data, database, LEAKS, security
ExpressVPN provider
IPVanish
9.6/10
Super secure VPN
Minimal data logging
Favorable privacy policy
Visit IPVanish ‣
Share on FacebookShare on Twitter
The company was informed about the exposed data in December 2020 but it only responded and secured the data in March 2021.
FastTrack Reflex Recruitment firm recently joined the ranks of other companies that have been affected by data leaks due to misconfigured AWS S3 buckets. This data breach majorly affected the applicants whose CVs containing personal information were leaked, reports the research team at Website Planet.
SEE: UK Recruitment Portal Suffers Massive Data Breach
Attached to numerous CVs were the personal IDs of applicants, including passports, citizen ID cards, driver’s licenses, and skilled worker IDs. All of these constitute direct and indirect applicant PII. Examples of directly identifiable PII include the following:
Full names
Email addresses
Home addresses
Dates of birth
Passport numbers
Applicant photos
Mobile phone numbers
Social network URLs for some applicants.
It is worth noting that the configuration of the server is not the responsibility of Amazon but rather the company, FastTrack, that is using it as a public cloud storage resource.
A UK recruitment firm exposed sensitive applicant data for months
Example of leaked data (Image: Website Planet)
The bucket, according to Website Planet’s blog post, included 21,000 client files (including duplicates), equating to 5GB of data, which were left unprotected for any hacker or cyber criminal with a malicious intent to take advantage of.
Moreover, tens of thousands of people could be affected by this. As a result of this exposure, FastTrack could receive legislative action from GDPR and the UK’s Data Protection Act 2018.
The clients could be affected through various criminal acts if cybercriminals found this unprotected database. These include identity theft, fraud, scams, phishing, malware, theft, and account takeover.
The company, on the other hand, will be affected due to their failure to adhere to data privacy laws such as GDPR which could fine it around €20 million, or 4% of the company in question’s annual turnover (whichever is higher).
Additionally, they could possibly face a loss of business due to their existing customers losing trust in their firm and their potential new applicants being driven away.
SEE: Fake LinkedIn job offers scam spreads More_eggs malware
The data breach was first discovered on 29th December 2020 by the Website Planet research team and the company was contacted on 15th and 17th January 2021 but they only replied on 17th March, after several attempts of contacting them, and the bucket was secured on 23rd March 2021.