International recruitment agency Michael Page is contacting hundreds of thousands of job seekers, warning them that their personal information was exposed on a publicly accessible web server.
Here is the email that Michael Page is sending affected individuals:
We regret to inform you that on 1 November 2016, we were made aware that an unauthorised third party illegally gained online access to a development server used by our IT provider, Capgemini for testing PageGroup websites.
We are sorry to tell you that the details you provided as part of your recent website activity have been identified as amongst those accessed. We know people care deeply about their data being protected so wanted you to hear this from us.
Since we identified that your data was accessed, we have worked non-stop to fix this issue with Capgemini, who are a global leader in consulting, technology and outsourcing services.
We immediately locked down our servers and secured all possible entry points to them. We carried out a detailed investigation into the nature of what happened. To reassure you, we know that the data was not taken with any malicious intent. We have requested that the third-party destroys or returns all copies of the data. They have confirmed that they have already destroyed it and we are confident that they have done so.
Personal information leaked included job applicants’ names, email addresses, encrypted passwords, telephone number, location, work sector, current job and covering message.
What appears to have happened is that consulting giant Capgemini leaked the Michael Page data by publishing it on a publicly accessible development server.
You may well be asking yourself - what wombat uses real customer data on a development server?
The answer, it appears, is Capgemini.
Although Michael Page is portraying the data breach as the action of “an unauthorised third party [who] illegally gained online access to a development server”, that’s quite a lot of spin at play.
Because this wasn’t a hack in the conventional sense that circumvented security. Instead, the person who accessed the data simply visited the development server run by Capgemini and - shockingly - was able to simply download the database.
That’s the reason that Michael Page is able to also reassure users that “the data was not taken with any malicious intent.”
Nonetheless, it doesn’t mean that nobody else would have been capable of accessing the data with just as much ease. And it doesn’t excuse Capgemini for using real data on a development site.
And as for Michael Page’s assurance that “there’s no need to change your password”? Sorry, I don’t think they can afford to be that complacent.
You should, at your earliest opportunity, change the password you use with Michael Page *and* ensure that you are not using that same password anywhere else on the net.
Make your passwords strong, hard-to-crack, impossible-to-guess, and unique.
For further background reading on this incident, check out Troy Hunt’s blog.