Unsecured AWS servers belonging to two online recruitment firms – U.S.-based Authentic Jobs and Sonic Jobs in the U.K. – have exposed more than 250,000 CVs of job candidates.
Authentic Jobs, used by the likes of the New York Times and EY, took the biggest hit with 221,130 CVs exposed to the public, according to a SkyNews report. At Sonic Jobs, which specializes in recruitment for retail and restaurant jobs and is used by hotel chains Marriott and InterContinental, had at least 29,202 CVs made publicly accessible.
“When you apply for a job, you share sensitive personal data with the jobs board and the companies to which you’re applying. It’s their responsibility to protect that information from disclosure,” said Tim Erlin, vice president, product management and strategy at Tripwire.
Among the information potentially exposed are names, addresses, job histories and phone numbers.
“An unfortunate consequence of this is that more than 200,000 CVs have now been exposed online,” said Nominet Vice President Stuart Reed. “Even more worrying is that Amazon buckets come secure by default, so these companies have changed the settings at some point to allow anyone to view their data; demonstrating a significant lack of security understanding and best practice procedures.”
Reed said that two online recruitment firms exposed “shows that it’s not an isolated case.”
Organizations that use “cloud storage must regularly audit the permissions to ensure these kinds of breaches don’t happen,” Erlin said.
That includes raising awareness of potential security weakpoints when it comes to protecting data, particularly in the cloud. “Poor awareness has led to the exposure of sensitive information, which could now be used for a range of further criminal activities,” said Reed, noting the widened digital surface of attack in cloud environments. “Regardless of the security that cloud services deliver, companies need to take responsibility and ensure they have a multi-layered approach to their security; including people, processes and technology.”