Around 250,000 American and British-based job seekers’ personal information has been exposed after two recruiting sites misconfigured their databases. The exposed information included candidates’ names, addresses, contact information, and work experience.
The data leak occurred when recruitment sites Authentic Jobs and Sonic Jobs failed to set their cloud storage as private. The companies stored the candidates’ profiles in cloud storage folders known as buckets, which were provided by Amazon Web Services (AWS).
Both companies set their privacy settings options to public instead of private, which allowed the users to view the details of someone who applied for a job and also downloaded by anyone who knew the location of the buckets.
The data breach was discovered by security researcher Gareth Llewellyn and reported to Sky News in the U.K.
“By finding and closing these buckets we can protect people who placed their trust in these businesses and, hopefully, start drawing attention to the dangers of storing personal data in a woefully insecure manner,” Gareth Llewellyn said. “Just because they leveraged a service like AWS, or even outsourced to a third-party entirely, doesn’t preclude them from ensuring the data entrusted to them is safe.”
According to the official reports, the U.S.-based job portal Authentic Jobs, whose client list includes EY and The New York Times, exposed over 221,130 resumes online. A further 29,202 resumes were exposed by the UK-based retail and restaurant jobs app Sonic Jobs, which is used by the Marriott and InterContinental hotel chains for recruitment.
After being warned of the exposure, the companies restored their databases and changed their bucket settings to private. “We take security and privacy very seriously and are looking into how this happened,” Authentic Jobs said in a statement.
“With limited resources, as a small business, we are confident that we take reasonable and proportionate measures to protect the confidentiality, integrity, and availability of our business data and the personal data we hold,” Sonic Jobs said.
In a similar data breach incident, an unprotected MongoDB server exposed a database that contains resumes of 202 million Chinese people online.
Security researcher Bob Diachenko discovered that the unsecured server was left visible online without a password, thus exposing the resumes that contained personal details such as mobile phone number, email, marital status, driver license, literacy level, salary expectations, skills, and work experience. The leaky server was secured soon after Diachenko publicized the issue via a Twitter post.