Recruitment giant PageGroup hacked, Capgemini dev server blamed for info leak
Someone's definitely looking for a new job
Exclusive Global recruitment giant PageGroup says a hacker infiltrated its network and accessed job applicants' personal information.
The miscreant broke into a development system run by IT outsourcer Capgemini for PageGroup, and was able to look up job hunters' names, email addresses, hashed passwords and more. UK-headquartered PageGroup and Capgemini both told The Register they believe the miscreant who slipped into its system had no malicious intent.
In alerts emailed to customers on Thursday – messages seen by El Reg – PageGroup warned that their records were obtained illegally by an unauthorized third party. Here's the text of one email sent on Thursday evening, UK time:
We regret to inform you that on 1 November 2016, we were made aware that an unauthorised third party illegally gained online access to a development server used by our IT provider, Capgemini for testing PageGroup websites.
We are sorry to tell you that the details you provided as part of your recent website activity have been identified as amongst those accessed. We know people care deeply about their data being protected so wanted you to hear this from us.
Since we identified that your data was accessed, we have worked non-stop to fix this issue with Capgemini, who are a global leader in consulting, technology and outsourcing services. We immediately locked down our servers and secured all possible entry points to them. We carried out a detailed investigation into the nature of what happened. To reassure you, we know that the data was not taken with any malicious intent. We have requested that the third-party destroys or returns all copies of the data. They have confirmed that they have already destroyed it and we are confident that they have done so.
The data fields which were accessed are:
- First name
- Last name
- Email address
- Password – please note this is encrypted into a code and not readable by any third-party so there’s no need to change your password
- Telephone number
- The sector you told us you work in
- The sub sector you told us you work in
- Job type
- Current job (only when applying via LinkedIn)
- Your covering message (optional field)
PageGroup has always placed the highest priority on data security and so this breach of data is deeply disappointing and of serious concern. We will continue to work to understand fully how the breach has occurred and to ensure it does not happen again. For more information please visit our FAQ page here.
PageGroup learned that it was compromised on November 1, and it took more than a week to admit it was hacked. It appears some people are affected more than others: while some customers just had their names and email addresses exposed, others lost control of more information about themselves and their work situation.
According to PageGroup, no CVs were accessed by the hacker. Of course, if this person could snatch people's details, anyone with the right skills could have done so, too.
"We have ensured the website is secure," PageGroup said in the aforementioned FAQ.
"We are treating this issue very seriously and are working with our IT vendor, Capgemini as a matter of urgency to fully investigate how this incident occurred and to put in place measures to ensure it does not happen again.
"Capgemini fully manage our PageGroup websites and is regarded as a global leader in consulting, technology and outsourcing services. It has all the appropriate security certificates and ISO certifications in place, which we believed would ensure that the website environments would be secure and safe in their hands."
A spokesperson for PageGroup told us the unnamed hacker has since promised they have destroyed the data and the company is "confident that they have done so." To us it sounds like someone discovered a vulnerable server, found out they could exploit it to extract people's information, and then reported it to PageGroup.
Capgemini, which handles a lot of outsourced work for the British government, told The Reg in a statement that it had fully investigated the matter and was satisfied there was no criminal intent in the data loss.
"Our work has established that this was not a malicious attack and we are not aware of any broader dissemination of data or fraudulent activities as a result of the incident," Capgemini said.
"Privacy and security are key priorities for Capgemini and we are reviewing the security procedures and data protection measures we have in place to protect our customers' data and proprietary information." ®