International recruitment agency Michael Page is contacting hundreds of thousands of job seekers, warning them that their personal information was exposed on a publicly accessible web server.
Here is the email that Michael Page is sending affected individuals:
We regret to inform you that on 1 November 2016, we were made aware that an unauthorised third party illegally gained online access to a development server used by our IT provider, Capgemini for testing PageGroup websites.
We are sorry to tell you that the details you provided as part of your recent website activity have been identified as amongst those accessed. We know people care deeply about their data being protected so wanted you to hear this from us.
Since we identified that your data was accessed, we have worked non-stop to fix this issue with Capgemini, who are a global leader in consulting, technology and outsourcing services.
We immediately locked down our servers and secured all possible entry points to them. We carried out a detailed investigation into the nature of what happened. To reassure you, we know that the data was not taken with any malicious intent. We have requested that the third-party destroys or returns all copies of the data. They have confirmed that they have already destroyed it and we are confident that they have done so.
Personal information leaked included job applicants’ names, email addresses, encrypted passwords, telephone number, location, work sector, current job and covering message.
What appears to have happened is that consulting giant Capgemini leaked the Michael Page data by publishing it on a publicly accessible development server.
You may well be asking yourself – what wombat uses real customer data on a development server?
The answer, it appears, is Capgemini.
Although Michael Page is portraying the data breach as the action of “an unauthorised third party [who] illegally gained online access to a development server”, that’s quite a lot of spin at play.
Because this wasn’t a hack in the conventional sense that circumvented security. Instead, the person who accessed the data simply visited the development server run by Capgemini and – shockingly – was able to simply download the database.
That’s the reason that Michael Page is able to also reassure users that “the data was not taken with any malicious intent.”
Nonetheless, it doesn’t mean that nobody else would have been capable of accessing the data with just as much ease. And it doesn’t excuse Capgemini for using real data on a development site.
And as for Michael Page’s assurance that “there’s no need to change your password”? Sorry, I don’t think they can afford to be that complacent.
You should, at your earliest opportunity, change the password you use with Michael Page *and* ensure that you are not using that same password anywhere else on the net.
Make your passwords strong, hard-to-crack, impossible-to-guess, and unique.
For further background reading on this incident, check out Troy Hunt’s blog.
A lot of data very useful for social engineering there. Even if you follow all the password good practice, the weak link is the Customer Service staff who are eager to help when the scammer rings them up pretending to be you.
I can't connect to Troy's blog -my https everywhere says:
"This site can’t provide a secure connection
www.troyhunt.com uses an unsupported protocol.
The client and server don't support a common SSL protocol version or cipher suite. This is likely to be caused when the server needs RC4, which is no longer considered secure."
… If I were you, I'd be very concerned. Because *my* HTTPS everywhere says that Troy's blog has the extremely good security. TLS 1.2, ECDHE ECDSA, AES 128 GCM. Are you living in a country known to censor the internet?
From the circumstances Cap Gemini is self-evidently a joint controller rather than processor. Yet Michael Page seems to be taking the fall alone. Strange!