Millions of jobseekers had their data exposed, including 713,000 Australians

Photo: iStock

A global recruitment company has accidentally exposed the information of millions of jobseekers to the public, reports technology blogger Troy Hunt.

Hunt, who runs the data breach directory haveibeenpwned.com, claims multinational recruitment firm Michael Page had at least 30GB of databases sitting on a publicly accessible server.

The information within them included email addresses and private information such as cover letters detailing work experience. Hunt estimated to iTnews that 8 million user records were affected, with 713,000 individuals exposed in the Australian database.

Hunt was tipped off on October 30 and waited until remediation by Michael Page before going public. His informant is the same person who discovered last month’s Red Cross Blood Service data leak of 1.3 million user records — believed to be Australia’s biggest ever data breach.

Hunt’s blog reported that multinational consulting and outsourcing firm Capgemini was responsible for mishandling Michael Page’s data, which the recruitment company confirmed. Business Insider has contacted Capgemini for comment.

“We are deeply disappointed that this breach occurred and wish to apologise to those affected,” said a Michael Page spokesperson, while disputing the number of records found by Hunt.

“We know that the records of 711,000 candidates was accessed, with candidate data relating to the following countries – China, Netherlands and the UK,” the spokesperson said. “Due to the nature of the data, there is limited risk of fraudulent activity for those affected.”

“All of the individuals affected have been sent an email, which details the level of information that was accessed. We are working closely with Capgemini to investigate how this incident occurred. We are also working hard to put measures in place to ensure that an incident of this nature does not happen again.”

The mechanics of the Michael Page breach were remarkably similar to the Red Cross incident. In both cases, no hacking was required as the databases had been copied into a publicly exposed folder on a public-facing server. All it took was a simple download to obtain the information.

Hunt said that while everyone’s working hard on new defences against attacks, “we’re also still alarmingly bad at the basics”.

“As with the Red Cross situation, there were numerous failings which led to the exposure of this data,” he said of the Michael Page incident.

In both cases, Hunt and his source deleted their copies of the exposed data, but he says the latest incident again illustrates the need for companies to put on bug bounties — financial incentives for staff to point out security flaws.

“These were such low-hanging vulnerabilities that had there been even the slightest inkling of incentivisation, they would have been found very quickly and reported ethically via a channel that researches could trust,” he said.

Michael Page operates in more than 30 countries and placed 15,500 positions just in the Asia-Pacific last year. Capgemini has more than 180,000 staff spread across 40 countries.

Business Insider Emails & Alerts

Site highlights each day to your inbox.

Follow Business Insider Australia on Facebook, Twitter, LinkedIn, and Instagram.