Global consultancy Capgemini has reportedly leaked data relating to recruitment firm Michael Page by publishing it on a publicly accessible development server.
According to research by Troy Hunt, the incident has left Michael Page contacting around 780,000 people who were registered with the recruitment firm. In a letter, published by Graham Cluley, Michael Page stated that it was made aware of the incident on 1 November that an unauthorized “third party illegally gained online access to a development server used by our IT provider, Capgemini for testing PageGroup websites.”
It said: “We are sorry to tell you that the details you provided as part of your recent website activity have been identified as amongst those accessed. We know people care deeply about their data being protected so wanted you to hear this from us.”
Michael Page said that it immediately locked down its servers, and secured all possible entry points. “We carried out a detailed investigation into the nature of what happened. To reassure you, we know that the data was not taken with any malicious intent. We have requested that the third-party destroys or returns all copies of the data. They have confirmed that they have already destroyed it and we are confident that they have done so.”
Troy Hunt said he was made aware of the situation when an individual disclosed the publicly exposed website, directory listing enabled, .sql files exposed. “Per the directory listing above, he'd identified backups from a variety of different global assets totalling several gigabytes.” Hunt said.
“He sent over a file indicating it was sourced from the UK as a proof. It was a 362Mb compressed file which extracted out to 4.55GB. Assuming a similar compression ratio, the files in the directory listing above would total well over 30GB of raw data which is a very large set of data to leak publicly.”
Capgemini told The Register in a statement that it had fully investigated the matter and was satisfied there was no criminal intent in the data loss. "Our work has established that this was not a malicious attack and we are not aware of any broader dissemination of data or fraudulent activities as a result of the incident," Capgemini said. "Privacy and security are key priorities for Capgemini and we are reviewing the security procedures and data protection measures we have in place to protect our customers' data and proprietary information.”
Andrew Bushby, UK director at Fidelis Cybersecurity, said that this latest compromise is interesting in terms of where blame is being laid. He said: “The compromised development server was allegedly operated by Capgemini and it was those users that didn’t anonymise the data which would [have] protected it from being exposed. This live data should not have been used in a test environment and there are readily available tools that make this possible.
“For the applicants whose information could now be on the open market, however, their trust was in Michael Page, not Capgemini. The new GDPR regulation puts more emphasis on data processes as well as data owners, in which case both parties would be responsible—rather than Michael Page as currently.”