Job-related information belonging to hundreds of thousands of individuals was exposed online after Capgemini inadvertently made public a database of Michael Page, a brand of UK-based global recruitment company PageGroup.
France-based Capgemini, which last year had a revenue of nearly 12 billion euros, specializes in consulting, technology and outsourcing services. The company, contracted by the recruitment giant for IT services, unintentionally exposed a Michael Page backup database containing an estimated 30 Gb of SQL files that could have been accessed by anyone who knew what to look for.
The leak was brought to the attention of Australian security expert Troy Hunt by an individual who last month discovered a similar leak involving the Australian Red Cross Blood Service. The personal details of 550,000 individuals were exposed in the Red Cross incident.
After investigating the leak, PageGroup and Capgemini determined that the data was posted to a development server used for testing PageGroup websites. The recruitment firm notified customers that names, email addresses, encrypted passwords, phone numbers and job-related information was exposed in the incident.
Hunt said a single one of the database files contained 780,000 unique email addresses and other job details. The expert learned about the leak in late October, but waited until now to make it public to give the affected companies enough time to address the issue.
PageGroup believes the data is unlikely to be misused since it appears that only Hunt and the individual who tipped him off accessed it, and they both claim to have destroyed all the copies they had. The company told affected customers that they don’t need to change their passwords.
“We have ensured the website is secure. We are treating this issue very seriously and are working with our IT vendor, Capgemini as a matter of urgency to fully investigate how this incident occurred and to put in place measures to ensure it does not happen again,” PageGroup stated. “Capgemini fully manage our PageGroup websites and is regarded as a global leader in consulting, technology and outsourcing services. It has all the appropriate security certificates and ISO certifications in place, which we believed would ensure that the website environments would be secure and safe in their hands.”
Hunt pointed out that organizations of all sizes can be affected by serious vulnerabilities. The expert believes companies could avoid such incidents by running bug bounty programs, which have been increasingly popular among both public and private organizations.
“These were such low-hanging vulnerabilities that had there been even the slightest inkling of incentivisation, they would have been found very quickly and reported ethically via a channel that researches could trust,” Hunt commented.