The two recruitment firms that exposed the curriculum vitaes (CVs) of thousands of job applications led to the following customer information being made available to hackers: names, addresses, phone numbers and career histories. Both firms exposed the CVs by leaving their AWS S3 buckets public. Amazon S3 is a simple web services interface that allows users to store and retrieve any amount of data, at any time. The service is designed to be accessible from anywhere on the Internet.
With the data breach, in all 221,130 CVs were made publicly accessible through Authentic Jobs plus a further 29,202 CVs via Sonic Jobs. The total numbers may be higher as the service used to detect the leaks only refreshes irregularly.
The issue occurred because the two companies made the settings on their “buckets” (a term for the cloud storage folders provided by AWS) public. This meant that as someone applied for a job their CV became available for anyone who knew the location of the bucket to see and download.
Commenting on the data breach to Digital Journal, Stephan Chenette, Co-Founder and CTO, AttackIQ states what the implications of the data breach are: “Unfortunately, it does not take much for cybercriminals to find databases left open to the public and access personally identifiable information.”
He notes that the issue was avoidable, since “there are tools designed to detect misconfigurations within cloud-tools, like Amazon’s S3. Authentic Jobs and Sonic Jobs left a total of 250,000 customers’ records vulnerable by leaving the buckets public.”
Chenette states that companies had a responsibility to avoid this serious error: “Any organization that collects and stores consumer data must make securing that information a priority. Unauthorized exposure of any type of customer data is a serious issue that may impact them well into the future.”
Going forwards, and as a general lesson for business, Chenette states: “It’s imperative for companies to continuously evaluate the cybersecurity posture of their IT environments, including cloud databases, and validate their security controls are working as expected and properly preventing, detecting and alerting so your security team can respond in a timely manner to any unauthorized access.”
