Security researcher, Troy Hunt, has exposed UK based recruitment firm, Michael Page, for a 30GB archive breach which contained data on 780,000 job applicants; allegedly including names, email addresses, passwords, cover letters and job history. The development server containing the compromised information is said to be operated by Capgemini, the firm’s IT supplier.
Andrew Bushby, UK director at Fidelis Cybersecurity comments, “While it’s becoming increasingly clear that no-one is immune from a data breach, this latest compromise is interesting in terms of where blame is being laid. The compromised development server was allegedly operated by Capgemini and it was those users that didn’t anonymise the data which would of protected it from being exposed. This live data should not have been used in a test environment and there are readily available tools that make this possible.
“For the applicants whose information could now be on the open market, however, their trust was in Michael Page, not Capgemini. The new GDPR regulation puts more emphasis on data processes as well as data owners, in which case both parties would be responsible – rather than Michael Page as currently.
“Similarly to how employees are connected within a business, organisations are connected through a web of outsourcing and third parties. Michael Page itself, of course, will be a third party supplier to many other businesses. Whether it was the case in this incident or not, through these connections, hackers can move through networks and take advantage of vulnerabilities and privileges until they reach a point where they have the power to exfiltrate sensitive data. It is fundamental, therefore, that businesses take responsibility for scrutinising their partners’ security prowess.
“That said, hackers will always find a way in, if they can which is exactly why monitoring and analysis technology needs to be in full motion to detect hackers and analyse their movement through the network. Full investigations do take time, but it shouldn’t have taken ten days to locate the compromised server. And, as for the fact that the culprits have agreed to destroy the data, if true that’s good news, however would you believe the pickpocket who told you that he’d cut up your credit card? Either way data loss has occurred.”