Two weeks after we found out that the Red Cross leaked the personal data of 550,000 Australian blood donors, global recruitment firm Michael Page has suffered a similar fate. Around 30GB of raw data from job seekers that submitted their resume and cover letters to the recruitment firm was exposed because database backups were published on a publicly facing web server managed by a third-party IT provider. The personal information found in the backups include current employment details, locations of job applications and email addresses. Here's what you need to know.
Michael Page, which is part of PageGroup, has multiple offices across the globe, including in Australia. IT service provider Capgemini was hired to test the websites belonging to PageGroup.
According to the recruitment giant, the backups of databases containing the data of job applications who went through Michael Page were stored on a development server.
Security expert Troy Hunt who runs Have I Been Pwned?, a website that tracks security breaches that result in data leaks, first found out about the situation late last month. According to his blog post:
"It was the same individual who located the Red Cross data and the same story in terms of discovery an underlying risk on the server end; publicly exposed website, directory listing enabled, .sql files exposed. This time, the data was identified as belonging to Michael Page, the British-based (yet very global) recruitment firm… [H]e identified backups from a variety of different global assets totalling several gigabytes."
Considering the size of the backups, millions of individuals could have had their personal information exposed.
Here are the types of information that were in the database backups:
- First name
- Last name
- Email addresses
- Encrypted passwords
- Telephone number
- Sector that job seekers worked in
- Sub-sector that job seekers worked in
- Job type
- Current job (when applying through LinkedIn)
- Cover letter
While not every job applicant had provided every piece of information on the list, Hunt identified over 780,000 unique email addresses in one file. There was also plenty of data relating to candidates' jobs such as cover letters relating to their experience.
PageGroup has sent an email out to affected customers to inform them of the data breach. The individual who found the database backup has said he has deleted the data but there's no guarantee that somebody else didn't get to the backups first and made copies.
Last month, it was revealed that the Red Cross data breach was also caused by a third-party IT services provider. Both the Red Cross and PageGroup incidents were not a result of sophisticated hacking attacks, but simply failures of basic security practices.