It is no longer news that several data breaches occurred in the span of last year to this year. While small companies such as GameStop, Panera Bread, Lord & Taylor were affected, the big wigs like Facebook, Ticketmaster, Quota, Under armour and so on were also affected. Data breaches cuts across different industries and different continents, hence, it is not just a group of people’s issues, rather a general phenomenon.
While sectors such as financial, technology and government are at the forefront of data breaches, other sectors like health, recruitment and co are not left out. Data breaches are a bigger deal for lots of people as databases containing personal information as well as vital organisations’ information are leaked online or hacked into for personal gains. Many people have heard about data breaches and are more online security conscious, but do they know how serious it is especially in some sectors?
One of the least frequently discovered and discussed data breaches are those in the recruitment sector. This is evident in the number of publications, news and online materials on recruitment data breaches as compared to those in other sectors like finance, health, government etc. This is not to say that, there are just a few recruitment breaches, rather they are less exposed to the public. This write up is focused on recruitment breaches within 2018/2019 and aims to enlighten readers.
What are Recruitment breaches?
The Recruitment sector is one concerned with shortlisting, selecting, verifying and appointing suitable candidates for jobs within an organisation. Recruitment for companies can be internal or external. For internal recruitment, the organisation puts together a recruitment team head by the recruitment manager or director of recruitment (depends on the organisation) and through a laid down recruitment process, appoints new employees for the organisation. While external recruitment involves the use of a third party company or organisation to recruit suitable candidates for vacant positions in the organisations.
Many small-scale and medium-scale organisations employ the internal recruitment process, while large-scale organisations mostly employ the services of third parties known as job recruitment tool/recruitment system/recruitment organisations. With a third party recruitment organisation, things are more organised as the process is systematic and there are little or no hitches for the companies as well as the applicants.
A data breach is an illegal infiltration of sensitive or protected data by someone (hacker) or a group of people for political gains, monetary gains or as a means for cyber bullying. When data breaches occur important and sensitive data such as personal information, credit card records, emails, financial transaction, personal chats and conversations and a host of other are leaked online for others to see or to be used in a dubious manner.
Recruitment breaches are illegal infiltrations into databases of recruitment agencies or recruitment portals of companies. Recruitment breaches mostly aim at revealing applicants’ personal information like birth certificates, social security cards, salary requirements, portfolios and so on, which can lead to extortion, cyber bullying, confusion or plain attack on the agency. Applicants are usually more at risk when a recruitment breach occurs as some recruitment results are hacked into causing confusion and a need for a retake. The damage is usually so much that no amount of compensations can rectify and repay the losses.
How are these breaches carried out?
People often wonder how these data breaches occur, after all they trusted the sites before commencing operations on them. There are several means breaches can be created and they are:
- An exploit: Hackers and cyber criminals take advantage of software bugs or vulnerabilities that are in the codes of a system or page. These bugs create leaks, allowing the hacker to explore the system and log into private and sensitive information. These information are copied or pasted online for the hacker’s personal gains.
- A SQL injection or SQLI: This attack exploits the weaknesses of softwares of unsecured websites in order to gather private information from the websites.
- Spyware: This is a malware that can be mistakenly downloaded from the internet and infects your system or network and stealing personal information and valuable data about you.
- Phishing: This occurs when people are manipulated to reveal their personal information. Like an email requesting you to sign into your social media accounts or bank account in order to steal your log in details.
- Broken or misconfigured access controls: This occurs when private parts of a website becomes public as a result of broken or misconfigured parts of a website. This mostly occurs with business websites.
Most companies have their databases exploited or have spyware’s stealing their clients’ data or have broken or misconfigured access. These data breaches occur mostly as a result of negligence or no proper attention to the security of their system or pages.
What does a recruitment breach means to an applicant?
- It means you are exposed to a potential cyber attack.
- It means your privacy has been invaded.
- It means you are at risk of being extorted in any means.
- It means that the recruitment exercise has been tampered with.
- It means that you could be locked out of your accounts; bank accounts, phone, social media accounts etc.
- It means your physical, mental and cyber security has been compromised.
- It means you may not be able to get the job you have applied for.
Recruitment breaches 2018/2019
There have been a lot of data breaches within 2018/2019 across different industries including the recruitment industry. Many industries suffered so many losses and many customers and users of the breached companies were affected. People’s personal information were leaked, their accounts compromised, their privacy invaded, credit scores altered and so on. Companies and organisations had their products stolen, prized business and political information exposed and had to face embarrassments for being hacked.
Recruitment agencies and portals were not left out as a major recruitment breach occurred around may 2018 in Australia. A large software provider which lots of companies in Australia employ for their recruitment exercise was attacked and had its data leaked online, exposing details of many job seekers. The breach was not discovered until later around June, when it was only suspected. The announcement led t panic amongst users and employers of the job software tool, PageUp. Many companies and corporations like Australian Universities, AusPost, Coles, Telstra, Commonwealth Bank, NAB, MediBank, Reserve Bank of Australia, were affected as they had to shut down their job pages.
Many people lost so many job opportunities as the results from the recruitment exercises were tampered with and so many retake had to occur, costing more resources and energy to be used. Some companies such as Australian Broadcasting Company (ABC), Asahi, Myer, Macquarie had to pull out their job pages on account of suspected data breach. This data breach kept on affecting several companies, months and months after it occurrence.
While this occurred in 2018, it was reported that in early 2019 Chinese HR firms and recruiting agencies were discovered to leak more than half a billion résumés. This report stated that the résumés had been leaked for sometime before being discovered. Further investigations later revealed the sources of the leak.
Across an ocean, over to the US, it was discovered that a job recruitment site, Ladders, exposed 13 million users profiles. This clearly shown that data breaches occur everywhere. There are so many recruitment breaches that occurred within 2018/2019 and so many applicants’ information were leaked. So many were affected, privacy invaded, and their security compromised. The affected companies also suffers a huge deal as many lawsuits were filed and many CEOs were forced to resign. Below is a list of recruitment breaches in 2018/2019.
List of data breaches in the recruitment sector 2018/2019
- Hack exposed personal data of job candidates at Australia’s top companies – https://www.businessinsider.com.au/pageup-data-breach-recruitment-australia-companies-2018-6/
- Costa Coffee job applicants’ details exposed in cyber attack on recruitment website – https://www.telegraph.co.uk/technology/2018/07/02/costa-coffee-job-applicants-details-exposed-cyber-attack-recruitment/amp/
- Whitbread recruitment system suffers data breach – https://www.irishtimes.com/business/agribusiness-and-food/whitbread-recruitment-system-suffers-data-breach-1.3551307?mode=amp
- Pageup data breach: thousands of job seekers’ details potentially exposed – https://amp.theguardian.com/technology/2018/jun/07/thousands-of-job-seekers-details-potentially-exposed-in-hack
- Bank details TFNs, personal details of job applicants potentially compromised in major Pageup data breach – https://www.google.com/amp/amp.abc.net.au/article/9840048
- ALDI Unpacked- Response to PageUp security breach – https://www.aldiunpacked.com.au/Article/June-2018/Response-to-PageUp-Security-Breach
- ComplyRight Data Breach Affects 662,000 Gets Lawsuit – https://www.schellman.com/blog/complyright-data-breach-affects-662000-gets-lawsuit
- PageUp data breach forces Coles, Aus Post bans more to close careers websites – https://www.afr.com/technology/pageup-data-breach-forces-coles-aus-post-and-more-to-close-careers-websites-20180606-h110rs
- BP data breach widens to 60,000 people after malware attack on PageUp job portal – https://i.stuff.co.nz/business/105424887/bp-data-breech-widens-after-malware-attack-on-job-portal
- Data breach exposes personal details of job seekers – https://www.hcamag.com/au/news/general/data-breach-exposes-personal-info-of-jobseekers/154193
- East Lindsey Council data Breach reveals job applicants’ pay – https://www.bbc.co.uk/news/amp/uk-england-lincolnshire-46303740
- Chinese HR firms and recruiting agencies found to leak more than half a billion resumes – https://www.scmagazine.com/home/security-news/data-breach/chinese-companies-were-discovered-to-be-leaking-more-than-half-a-billion-resumes-on-the-web-via-poorly-secured-elasticsearch-and-mongodb-databases/
- Job recruitment site ladders exposed 13 million user profile – https://techcrunch.com/2019/05/01/ladders-resume-leak/
Steps taken on Recruitment breaches 2018/2019
Following series of recruitment breaches in 2018/2019, the General Data Protection Regulation code of law was enacted and effected in spring 2018. It was enacted by the European Union (EU) to protect EU citizens. The code of law applies to any and every company or organisation that keeps digital data on EU citizens, regardless of the location. It protect its members by ensuring that companies keep certain high-security levels and relay any information related to data breach within 72 hours of detection. Failure to adhere to the rules will lead to the larger of 4% fine of the company’s annual revenue and 20 million pounds.
This step allowed for quick actions on data breaches that are discovered early as well as to help mitigate the damage done. It also helps to keep companies on their toes and checkmate lackadaisical attitudes of companies towards data breaches. Ultimately, customers are assured that their personal and valuable data are secured and if exposed can be quickly rectified.
Should companies involved in data breaches be held responsible?
This is a one-million dollar question asked every time there is a reported data breach. The companies targeted suffer innumerable losses from lawsuits filed by their customers or users. They have to pay compensations to those affected and at times the heads are forced to resign. But the question is are they responsible for the breaches?
Since, we understand the concept of breaches and how they occur, we can infer and deduce that most breaches occur as a result of negligence or not enough attention on the security systems of their pages or websites. It has been reported that some managers were forewarned of a potential breach, but did not heed to the warnings. While some overlooked it in a bid to save costs, some did not pay much attention to the vital aspect of their systems, the security.
Data breaches are committed by hackers and cyber criminals, should they not be held responsible? Well, there is no way you can stop a criminal from committing crimes, he or she can only pay for the crimes once caught. If security were top notch, the possibility of a breach happening will be less or next to nothing and if warned about it, it should be taken seriously and appropriate measures put in place to salvage it. This is to say that data breaches can be prevented and avoided to the minimum.
In conclusion, the world has seen so many recruitment breaches and 2018/2019 recruitment breaches were ones that became eyeopeners for a call of action. So many people lost opportunities of a lifetime, while some had their private space invaded, some were extorted, some had their accounts compromised and so many issues. Companies had issues recruiting people, had a breach in agreement with their users, were embarrassed for being hacked, had to pay fines and some had to fire their heads.
Recruitment breaches can be as brutal as every other data breaches, and it should be noted that they occur, they might not be as publicised as those of other sectors, but they do exist. Companies employing the services of third party recruitment agencies should be careful and investigate thoroughly before subjecting their future employees to cyber attacks. Most importantly, security measures should be taken to prevent data breaches to an extent and when discovered, should be salvaged to prevent further damages.
Recruitment breaches 2018/2019 is a write up aimed at enlightening readers and was put together after thorough researches on the topic.