Exclusive

Job applicants worried as hundreds of thousands of CVs exposed online

"I am worried about the fact that my address is out there and my phone number," an affected person told Sky News.

Rowland Manthorpe

Technology correspondent @rowlsmanthorpe

Wednesday 16 October 2019 16:20, UK

OAKLAND, CA - FEBRUARY 02: A job listing board hangs at the East Bay Career Center February 2, 2006 in Oakland, California. According to a government report, U.S. unemployment benefits claims dropped to about 273,000 last week, sending a four-week average of claims to the lowest level in nearly six years. (Photo by Justin Sullivan/Getty Images)
Image: Hundreds of thousands of job seekers have been exposed
Why you can trust Sky News

Two online recruitment firms have exposed more than 200,000 CVs, revealing job-hunters' names, addresses, phone numbers and career histories to potential cyber criminals, Sky News can reveal.

Authentic Jobs, a US-based jobs board used by companies including the New York Times and accounting firm EY made 221,130 CVs publicly accessible.

Sonic Jobs, a UK retail and restaurant jobs app used by the Marriott and InterContinental hotel chains, exposed 29,202 CVs. The total numbers may be higher as the service used to detect the leaks only refreshes irregularly.

Image: Sonicjobs has exposed thousand of applicants' CVs

Both firms exposed the CVs through their cloud storage service, which stores data in servers connected to the internet.

The firms made the settings on their "buckets" - cloud storage folders provided by Amazon Web Services (AWS), the biggest cloud service in the world - public.

This meant that when someone applied for a job their CV was available for anyone who knew the location of the bucket to see and download.

Student Akilah Elder, who used Sonic Jobs to find part-time work, had her CV exposed. "I am worried about the fact that my address is out there and my phone number," she told Sky News.

More on Amazon

Related Topics:

"I trusted these people to do what they were supposed to do, which was to help me find a job and now everyone can access my data."

After they were contacted by Sky News, both companies made their buckets private.

"We take security and privacy very seriously and are looking into how this happened," Authentic Jobs said over email.

Image: The company said it was investigating the incident

In a statement, Sonic Jobs told Sky News it was immediately reviewing how the storage system had been left public.

"With limited resources, as a small business, we are confident that we take reasonable and proportionate measures to protect the confidentiality, integrity and availability of our business data and the personal data we hold," the firm said.

The data breaches were found by security researcher Gareth Llewellyn.

"By finding and closing these buckets we can protect people who placed their trust in these businesses and - hopefully - start drawing attention to the dangers of storing personal data in a woefully insecure manner," he said.

The breach will raise questions about the security of AWS buckets, which have been accidentally configured for public access by numerous organisations, including Verizon, Dow Jones, GoDaddy and wrestling company WWE.

Amazon Web Services runs the cloud storage 'buckets'
Image: AWS buckets have been connected to multiple data breaches

In July 2017, over three million wrestling fans had their sensitive personal details exposed when WWE leaked information through an AWS bucket. Voter databases have also been leaked by US firms in the same way.

"Amazon could be doing more," said security consultant Richard de Vere.

"Amazon should proactively look for these buckets along with researchers."

In a statement, Amazon said AWS buckets were secure by default.

"If customers use the default configuration, the bucket locks down access to just the account owner and root administrator," a spokesperson told Sky News.

"We have services to help customers audit and consider configuration changes, and continue to add capabilities that give customers ways to triple check their customisations."

Mr Llewellyn agreed that the responsibility lay with companies using cloud services.

"Just because they leveraged a service like AWS, or even outsourced to a third party entirely, doesn't preclude them from ensuring the data entrusted to them is safe," he said.

Under UK law, companies are obliged to report a data breach to the Information Commissioner's Office (ICO) within 72 hours of learning about it.

They must also alert anyone affected "without undue delay" if the breach is "likely to result in a high risk of adversely affecting individuals' rights and freedoms".

At the time of publication, Sonic Jobs had not alerted everyone whose CV was leaked about the breach.

An ICO spokesperson said: "Organisations must notify the ICO within 72 hours of becoming aware of a personal data breach unless it is unlikely to pose a risk to people's rights and freedoms.

"If an organisation decides that a breach doesn't need to be reported they should keep their own record of it, and be able to explain why it wasn't reported if necessary.

"If anyone has concerns about how their data has been handled, they can report these concerns to us and we can look into the details."

In the US state of Florida, where Authentic Jobs is based, companies are required to alert both authorities and affected consumers.

Related Topics