UK-based international recruitment firm Michael Page has had a database of 780,000 of its job applicants from around the world accidentally leaked by consulting firm Capgemini.
The data has been revealed by password-collector Troy Hunt, who received a 30GB archive from the same person who disclosed to him the data from the Australian Red Cross. According to Hunt, the data includes names, email addresses, cover letters, and job history of the firm's employment candidates.
Troy blogged about the leak which he says hasmany similarities to the Red Cross leak, as it was not carried out using sophisticated state-sponsored hacking methods, rather as Hunt put it, “by merely downloading a database backup from the website it had been published to.”
Hunt was sent a screenshot of a directory listing of all the backup files and said, “he'd identified backups from a variety of different global assets totalling several gigabytes. He sent over a file indicating it was sourced from the UK as a proof.
“It was a 362MB compressed file which extracted out to 4.55GB. Assuming a similar compression ratio, the files in the directory listing above would total well over 30GB of raw data which is a very large set of data to leak publicly,” Hunt added.
When asked for a statement on why the breach happened atCapgemini, a consulting company worth €11.45 billion that prides itself on top-notch cyber-security prowess, a spokesperson told SCMagazineUK.com that, “Privacy and security are key priorities for Capgemini; we are confident in our security procedures and data protection measures and are continuously improving them.”
It all seems a bit ‘business as usual' for the consulting firm which did not answer any questions with regards to extra IT training for staff, or even if those affected could expect a simple apology, saying “we stand by this statement”.
Eamon Collins, group marketing director of the PageGroup sent an email to job applicants affected saying: “We regret to inform you that on 1 November 2016, we were made aware that an unauthorised third party illegally gained online access to a development server used by our IT provider, Capgemini for testing PageGroup websites.”
Collins says that in response, the company has: “immediately locked down our servers and secured all possible entry points to them. We carried out a detailed investigation into the nature of what happened. To reassure you, we know that the data was not taken with any malicious intent.”
Assuming everyone on the internet will play ball, Collins added: “We have requested that the third-party destroys or returns all copies of the data. They have confirmed that they have already destroyed it and we are confident that they have done so.”