Michael Page, a global recruitment consultancy, has been hacked and a wide range of personal information on 710,000 applicants has been stolen.
The company has formally admitted the attack in the past hour. The company claimed that the attack was perpetrated on 31 October and uncovered the next day.
It also claimed that the hackers are all very nice boys and girls and have agreed to destroy the purloined data, a suggestion we find somewhat odd. Michael Page warned in an email to clients that, while names, email addresses and passwords were all accessed, the passwords were encrypted. However, the company admitted in a statement issued in the past hour that the level of personal information spilled is much broader, including full names, email address, telephone numbers, locations, sectors, job types and current positions.
The company has pointed the finger of blame at its services partner, Capgemini, suggesting that the attackers accessed the data via a development server operated by Capgemini that was used to test Michael Page websites. Michael Page said in an email to applicants: "We regret to inform you that on 1 November 2016 we were made aware that an unauthorised third party illegally gained online access to a development server used by our IT provider, Capgemini, for testing PageGroup websites.
"We are sorry to tell you that the details you provided as part of your mypage subscription have been identified as amongst those accessed. Since we identified that your data was accessed, we have worked non-stop to fix this issue with Capgemini, which is a global leader in consulting, technology and outsourcing services. "We immediately locked down our servers and secured all possible entry points to them. We carried out a detailed investigation into the nature of what happened."
Michael Page also suggested that the data had not been "taken with any malicious intent", and that the company had requested that the attackers "destroy or return copies" of the data. "They have confirmed that they have already destroyed it and we are confident that they have done so," said the firm.
The company claimed in the statement that "due to the nature of the data, there is limited risk of fraudulent activity for those affected. We can also confirm that no other data has been compromised." However, Michael Page clients, who include many working in IT, are less than impressed, especially with the use of personal production data on a development server without at the very least encrypting and anonymising it.
"You were entrusted with my data and you have broken that trust by putting my data on a development server and without anonymising it. This is a truly shocking lapse of control by both you and Capgemini," wrote one client. "It is one of the most basic rules that you do not use personal data in this way. I've been in IT for over 30 years and in every environment I have worked in, any data that contains personal information has been confined to production environments only."
Michael Page clients have demanded to know why it took 10 days to inform them, where the development server was located and the data protection rules applicable, why a development server was made accessible via the internet and whether Michael Page or Capgemini operated "controlled administrator-level access" to the server.
Michael Page said that it will not answer any further questions regarding the breach. The hack is just the latest in a series of compromises. Earlier this month, Cisco job applicants were warned of potential mobile site data leak.
110 Reykjavik, Iceland