CVs of UK, US job applicants exposed online

Two online recruitment companies leave AWS buckets holding CVs of more than 200,000 job-hunters public

Two online recruitment companies have exposed the CVs of more than 200,000 job-hunters, revealing personal details such as name, address and phone number, reported Sky News.

US-based job board Authentic Jobs exposed 221,130 CVs, while Sonic Jobs, a UK retail and restaurant jobs app used by the Marriott and InterContinental hotel chains, left 29,202 CVs accessible. The number might be higher, said the report.

Both firms had set the settings on their Amazon Web Services (AWS) buckets public, leaving the stored CVs accessible to anyone who knew the location of the bucket.

Authentic Jobs told Sky News it is "looking into how this happened"  while Sonic Jobs said it was "immediately reviewing" how the bucket was left public.

"This is another incident of an organisation deploying new technology without considering the security implications. If the data was accessible to anyone with an internet connection then there is a high chance it already has been accessed by unintended parties," said Robert Ramsden-Board, VP of EMEA at Securonix.

"This is definitely not the responsibility of AWS, but of Authentic Jobs and Sonic Jobs," said Sergio Loureiro, cloud security director at Outpost24.

The Amazon Web Services (AWS) official policy states that it will ensure that only authorised parties have physical access to their data centres and will run the related network security appliances, such as IPS devices, IDS devices and firewalls. It also monitors logs for security alerts and address any related issues of the security of the network itself.

However, code put in by the customer company does not belong to Amazon. If there is a vulnerability in the company code and a hacker exploits it, the company will be held responsible.

"There is no excuse for such a misconfiguration, default settings by AWS are good and there are plenty of tools to check for that kind of misconfiguration, such as Cloud Security Posture Management (CSPM) tools," said Loureiro.

"Data breaches involving Personally Identifiable Information (PII) often lead to huge fines, reputational damage, and loss of trust. Not to mention the enormous impact on the individual from identity theft to financial compromise. This should be a lesson to organisations that any documents, servers or databases should always be secured and at the very least password-protected," Ramsden-Board said.

Cloud services such as AWS have made it easy and cost-effective for companies to store large amounts of data that can be quickly accessed from any location, but not applying proper permissions offer the same convenience to cyber-criminals and data-harvesters, noted Javvad Malik, security awareness advocate at KnowBe4. 

"CVs, in particular, contain a wealth of personal and private information that can be used for many nefarious purposes to steal their identity or use employment history and details to attack previous employers," he said.

The fact that a trivial user error caused the issue makes it important for companies to foster a strong security culture, which makes even those who aren't directly responsible for security measures aware of the value in it and the importance of implementing it properly, Malik added.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews