Compromised data was on a development server and included personal details on 780,000 job applicants
Security researcher Troy Hunt has exposed UK based recruitment firm Michael Page for a 30GB data archive breach, which contained data on 780,000 job applicants.
The data allegedly included names, email addresses, passwords, cover letters and job histories. A development server containing the compromised information is said to have been operated by Capgemini, the firm’s IT supplier.
Andrew Bushby, UK director at Fidelis Cybersecurity, said of the blunder: “While it’s becoming increasingly clear that no-one is immune from a data breach, this latest compromise is interesting in terms of where blame is being laid.
“The compromised development server was allegedly operated by Capgemini, that didn’t anonymise the data which would have protected it from being exposed.”
It has been good industry practice for some time to anonymise real data in testing environments after previous similar leaks going back many years at other organisations, including at financial institutions.
Since the data leak, which happened earlier this month, Michael Page has said there was no malicious intent from the third party that captured the data. The recruitment firm however was still forced to write to the 780,000 job applicants contained in the affected data, informing them of the breach.
Bushby added: “It is fundamental that businesses take responsibility for scrutinising their partners’ security prowess.
“The new forthcoming GDPR (General Data Protection Regulation) puts more emphasis on data processes as well as data owners, in which case both Michael Page and Capgemini would be responsible – rather than just Michael Page as it is currently.”