Capgemini sloppily leaks data of 780,000 Michael Page job seekers to anyone on the internet

Publicly accessible development server blamed for breach.

Graham Cluley
Graham Cluley
@[email protected]

Capgemini sloppily leaks data of 780,000 Michael Page job seekers

International recruitment agency Michael Page is contacting hundreds of thousands of job seekers, warning them that their personal information was exposed on a publicly accessible web server.

Here is the email that Michael Page is sending affected individuals:

Michael page advisory

We regret to inform you that on 1 November 2016, we were made aware that an unauthorised third party illegally gained online access to a development server used by our IT provider, Capgemini for testing PageGroup websites.

We are sorry to tell you that the details you provided as part of your recent website activity have been identified as amongst those accessed. We know people care deeply about their data being protected so wanted you to hear this from us.

Since we identified that your data was accessed, we have worked non-stop to fix this issue with Capgemini, who are a global leader in consulting, technology and outsourcing services.

We immediately locked down our servers and secured all possible entry points to them. We carried out a detailed investigation into the nature of what happened. To reassure you, we know that the data was not taken with any malicious intent. We have requested that the third-party destroys or returns all copies of the data. They have confirmed that they have already destroyed it and we are confident that they have done so.

Personal information leaked included job applicants’ names, email addresses, encrypted passwords, telephone number, location, work sector, current job and covering message.

What appears to have happened is that consulting giant Capgemini leaked the Michael Page data by publishing it on a publicly accessible development server.

Capgemini You may well be asking yourself – what wombat uses real customer data on a development server?

The answer, it appears, is Capgemini.

Although Michael Page is portraying the data breach as the action of “an unauthorised third party [who] illegally gained online access to a development server”, that’s quite a lot of spin at play.

Sign up to our free newsletter.
Security news, advice, and tips.

Because this wasn’t a hack in the conventional sense that circumvented security. Instead, the person who accessed the data simply visited the development server run by Capgemini and – shockingly – was able to simply download the database.

That’s the reason that Michael Page is able to also reassure users that “the data was not taken with any malicious intent.”

Nonetheless, it doesn’t mean that nobody else would have been capable of accessing the data with just as much ease. And it doesn’t excuse Capgemini for using real data on a development site.

And as for Michael Page’s assurance that “there’s no need to change your password”? Sorry, I don’t think they can afford to be that complacent.

You should, at your earliest opportunity, change the password you use with Michael Page *and* ensure that you are not using that same password anywhere else on the net.

Make your passwords strong, hard-to-crack, impossible-to-guess, and unique.

For further background reading on this incident, check out Troy Hunt’s blog.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

4 comments on “Capgemini sloppily leaks data of 780,000 Michael Page job seekers to anyone on the internet”

  1. Techno

    A lot of data very useful for social engineering there. Even if you follow all the password good practice, the weak link is the Customer Service staff who are eager to help when the scammer rings them up pretending to be you.

  2. SlipperyJim

    I can't connect to Troy's blog -my https everywhere says:
    "This site can’t provide a secure connection uses an unsupported protocol.
    The client and server don't support a common SSL protocol version or cipher suite. This is likely to be caused when the server needs RC4, which is no longer considered secure."

    1. Erzengel · in reply to SlipperyJim

      … If I were you, I'd be very concerned. Because *my* HTTPS everywhere says that Troy's blog has the extremely good security. TLS 1.2, ECDHE ECDSA, AES 128 GCM. Are you living in a country known to censor the internet?

  3. anon

    From the circumstances Cap Gemini is self-evidently a joint controller rather than processor. Yet Michael Page seems to be taking the fall alone. Strange!

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.