Irish jobs site compromised and personal information accessed
Technorati Tag: Security Breach
Date Reported:
3/27/08
Organization:
Jobs.ie
Contractor/Consultant/Branch:
None
Victims:
Job seekers and applicants
Number Affected:
Unknown
Types of Data:
Information contained on CVs (or resumes) often times including names, addresses, email addresses, phone numbers, job histories and other personal information.
Breach Description:
"A security breach occurred on job-seekers site Jobs.ie late on Thursday 27 March, when what the company described as a ‘small number’ of CVs were illegally downloaded by a third-party that hacked the site and gained access to the database."
Reference URL:
Jobs.ie Important Notice
SiliconRepublic
The Irish Times
ElectricNews.net Ltd.
Report Credit:
Jobs.ie
Response:
From the online sources cited above:
A security breach occurred on job-seekers site Jobs.ie late on Thursday 27 March, when what the company described as a ‘small number’ of CVs were illegally downloaded by a third-party that hacked the site and gained access to the database.
[Evan] Hacked?
It is understood that the hackers used an illegally obtained log-in and password given to employers who are registered with Jobs.ie to access the job applications area of the site. They then downloaded personal information from CVs submitted, along with job applications.
[Evan] How do you suppose that the "hackers" came into the possession of a log-in and password? Did they get it from a stolen laptop or other piece of equipment? Did they get it from someone's Post-It note? Did they socially engineer a legitimate user? Let's suppose that the "hackers" obtained the log-in through social engineering, or a social engineering type of attack. When most people think of a "hack" they think of some sophisticated and sleuthy high-tech intrusion. Although these "hacks" do exist, this is not how most criminals access confidential information without authorization. Many intrusions take place through relatively easy exploits such as convincing someone to give you their password (i.e. social engineering, phishing, etc.).
Several CVs were downloaded before Jobs.ie was alerted. While the company has not yet given exact figures on the number of its members who had private data stolen, it says an investigation is now under way
[Evan] Social engineering attacks are typically very difficult to prevent AND detect. Monitoring "legitimate" username and password access to data and looking for patterns of possible abuse is a sophisticated science and the amount of collected information can be enormous. It is usually easy to detect common network and host-based technical attacks because the patterns of traffic and commands differ from what would be considered "normal". Social engineering attacks can and often do go unnoticed.
Most of the stolen information relates to archive CVs rather than those of people now looking for jobs.
All site members whose CV was downloaded illegally were contacted immediately by Jobs.ie and alerted to the hacking
[Evan] Kudos to Jobs.ie for doing the right thing. Immediate notification is excellent.
The email stated: "Unfortunately your CV was one of the records taken. I understand and apologise for the concern this will cause you and I want to assure you that we are taking steps to prevent this happening again."
The email, signed by Huw Taylor, general manager of Jobs.ie, goes on to warn those whose personal data has been compromised to "exercise extra caution while conducting online activity".
It warns users of the possibility of being contacted by someone claiming to be a reputable company and asking for personal details or banking information.
Brian Honan of online security consultancy BH Consulting says on his firm’s official blog that there are no mandatory breach disclosure laws in Ireland and that Jobs.ie should be "commended for coming clean about the incident" and doing so within 24 hours of the breach.
[Evan] I agree with Brian.
Contrary to media reports, the DPC told ENN that, as of Monday morning, it had yet to be formally contacted in relation to the matter. The DPC said that the nature of the potential data lost was a cause for concern.
An IT professional who’s CV was one of those downloaded from Jobs.ie told siliconrepublic.com: "The worst that could happen is identity theft. It depends how much information you have on your CV too, some people are really foolish and put on PPS numbers and all sorts. Stealing CVs can be really handy for guessing or resetting peoples passwords."
[Evan] I wonder if this is a misquote. "The worst that could happen is identity theft."
Because most people would include an email address and mobile phone number on their CV, he said that as well as phishing or identity theft, there was also a risk of spamming.
Anthony Gibbons, another affected Jobs.ie member, said to siliconrepublic.com: "This is far more significant than the loss of encrypted personal data from the blood services."
"The fact that this information was illegally gathered increases the possibility of it being illegally used. This would include seeking personal loans and credit cards, identity theft, seeking false ID such as a driving licence or birth certificate, and identity cloning."
"Most people are reasonably aware about the dangers associated with unsolicited e-mails but they might be more inclined to be more responsive to someone who rang them claiming to be from their bank,"
Victims of the security breach who contacted The Irish Times said they had "grave concerns" in relation to their exposure to identity theft.
A dedicated 24 hour customer helpline has been set up to deal with any further questions or concerns you may have. Please call +353 (0)1 680 8699 or email
Commentary:
It is unlikely that a criminal could use the information obtained in this attack for identity theft, directly. The information could be used to glean further information from the victims, which in turn could lead to identity theft. The criminals gained information that wasn't meant for general public consumption. If I were a victim, I would be much more vigilant and on alert.
Past Breaches:
"Jobs.ie, one of the State's largest recruitment sites, said it had never before had such a breach."
Date Reported:3/27/08
Organization:
Jobs.ie
Contractor/Consultant/Branch:
None
Victims:
Job seekers and applicants
Number Affected:
Unknown
Types of Data:
Information contained on CVs (or resumes) often times including names, addresses, email addresses, phone numbers, job histories and other personal information.
Breach Description:
"A security breach occurred on job-seekers site Jobs.ie late on Thursday 27 March, when what the company described as a ‘small number’ of CVs were illegally downloaded by a third-party that hacked the site and gained access to the database."
Reference URL:
Jobs.ie Important Notice
SiliconRepublic
The Irish Times
ElectricNews.net Ltd.
Report Credit:
Jobs.ie
Response:
From the online sources cited above:
A security breach occurred on job-seekers site Jobs.ie late on Thursday 27 March, when what the company described as a ‘small number’ of CVs were illegally downloaded by a third-party that hacked the site and gained access to the database.
[Evan] Hacked?
It is understood that the hackers used an illegally obtained log-in and password given to employers who are registered with Jobs.ie to access the job applications area of the site. They then downloaded personal information from CVs submitted, along with job applications.
[Evan] How do you suppose that the "hackers" came into the possession of a log-in and password? Did they get it from a stolen laptop or other piece of equipment? Did they get it from someone's Post-It note? Did they socially engineer a legitimate user? Let's suppose that the "hackers" obtained the log-in through social engineering, or a social engineering type of attack. When most people think of a "hack" they think of some sophisticated and sleuthy high-tech intrusion. Although these "hacks" do exist, this is not how most criminals access confidential information without authorization. Many intrusions take place through relatively easy exploits such as convincing someone to give you their password (i.e. social engineering, phishing, etc.).
Several CVs were downloaded before Jobs.ie was alerted. While the company has not yet given exact figures on the number of its members who had private data stolen, it says an investigation is now under way
[Evan] Social engineering attacks are typically very difficult to prevent AND detect. Monitoring "legitimate" username and password access to data and looking for patterns of possible abuse is a sophisticated science and the amount of collected information can be enormous. It is usually easy to detect common network and host-based technical attacks because the patterns of traffic and commands differ from what would be considered "normal". Social engineering attacks can and often do go unnoticed.
Most of the stolen information relates to archive CVs rather than those of people now looking for jobs.
All site members whose CV was downloaded illegally were contacted immediately by Jobs.ie and alerted to the hacking
[Evan] Kudos to Jobs.ie for doing the right thing. Immediate notification is excellent.
The email stated: "Unfortunately your CV was one of the records taken. I understand and apologise for the concern this will cause you and I want to assure you that we are taking steps to prevent this happening again."
The email, signed by Huw Taylor, general manager of Jobs.ie, goes on to warn those whose personal data has been compromised to "exercise extra caution while conducting online activity".
It warns users of the possibility of being contacted by someone claiming to be a reputable company and asking for personal details or banking information.
Brian Honan of online security consultancy BH Consulting says on his firm’s official blog that there are no mandatory breach disclosure laws in Ireland and that Jobs.ie should be "commended for coming clean about the incident" and doing so within 24 hours of the breach.
[Evan] I agree with Brian.
Contrary to media reports, the DPC told ENN that, as of Monday morning, it had yet to be formally contacted in relation to the matter. The DPC said that the nature of the potential data lost was a cause for concern.
An IT professional who’s CV was one of those downloaded from Jobs.ie told siliconrepublic.com: "The worst that could happen is identity theft. It depends how much information you have on your CV too, some people are really foolish and put on PPS numbers and all sorts. Stealing CVs can be really handy for guessing or resetting peoples passwords."
[Evan] I wonder if this is a misquote. "The worst that could happen is identity theft."
Because most people would include an email address and mobile phone number on their CV, he said that as well as phishing or identity theft, there was also a risk of spamming.
Anthony Gibbons, another affected Jobs.ie member, said to siliconrepublic.com: "This is far more significant than the loss of encrypted personal data from the blood services."
"The fact that this information was illegally gathered increases the possibility of it being illegally used. This would include seeking personal loans and credit cards, identity theft, seeking false ID such as a driving licence or birth certificate, and identity cloning."
"Most people are reasonably aware about the dangers associated with unsolicited e-mails but they might be more inclined to be more responsive to someone who rang them claiming to be from their bank,"
Victims of the security breach who contacted The Irish Times said they had "grave concerns" in relation to their exposure to identity theft.
A dedicated 24 hour customer helpline has been set up to deal with any further questions or concerns you may have. Please call +353 (0)1 680 8699 or email
Commentary:
It is unlikely that a criminal could use the information obtained in this attack for identity theft, directly. The information could be used to glean further information from the victims, which in turn could lead to identity theft. The criminals gained information that wasn't meant for general public consumption. If I were a victim, I would be much more vigilant and on alert.
Past Breaches:
"Jobs.ie, one of the State's largest recruitment sites, said it had never before had such a breach."
Posts Atom 1.0
Scary... And not the first one:
http://www.jobsblog.ie/Jobs/jobsie-hacked/86
Ivan | www.JobsBlog.ie
Reply to this
What i suggest is better be more alert and always have a security backup system to avoid this thing happen and do not always trust other when doing a private and confidential work. try to more secure all the time
Reply to this
Yes, it is something that we must all guard against.
It is a bit like the doping that goes on in sport, the detection rate is far behind the effort that goes into doping R&D.
We all try and stay ahead and ensure that our websites are secure. But there are those individuals out there who spend their waking hours trying to hack systems.
Reply to this