Recruitment giant PageGroup hacked, Capgemini dev server blamed for info leak

Someone's definitely looking for a new job

Exclusive Global recruitment giant PageGroup says a hacker infiltrated its network and accessed job applicants' personal information.

The miscreant broke into a development system run by IT outsourcer Capgemini for PageGroup, and was able to look up job hunters' names, email addresses, hashed passwords and more. UK-headquartered PageGroup and Capgemini both told The Register they believe the miscreant who slipped into its system had no malicious intent.

In alerts emailed to customers on Thursday – messages seen by El Reg – PageGroup warned that their records were obtained illegally by an unauthorized third party. Here's the text of one email sent on Thursday evening, UK time:

We regret to inform you that on 1 November 2016, we were made aware that an unauthorised third party illegally gained online access to a development server used by our IT provider, Capgemini for testing PageGroup websites.

We are sorry to tell you that the details you provided as part of your recent website activity have been identified as amongst those accessed. We know people care deeply about their data being protected so wanted you to hear this from us.

Since we identified that your data was accessed, we have worked non-stop to fix this issue with Capgemini, who are a global leader in consulting, technology and outsourcing services. We immediately locked down our servers and secured all possible entry points to them. We carried out a detailed investigation into the nature of what happened. To reassure you, we know that the data was not taken with any malicious intent. We have requested that the third-party destroys or returns all copies of the data. They have confirmed that they have already destroyed it and we are confident that they have done so.

The data fields which were accessed are:

  • First name
  • Last name
  • Email address
  • Password – please note this is encrypted into a code and not readable by any third-party so there’s no need to change your password
  • Telephone number
  • Location
  • The sector you told us you work in
  • The sub sector you told us you work in
  • Job type
  • Current job (only when applying via LinkedIn)
  • Your covering message (optional field)

PageGroup has always placed the highest priority on data security and so this breach of data is deeply disappointing and of serious concern. We will continue to work to understand fully how the breach has occurred and to ensure it does not happen again. For more information please visit our FAQ page here.

PageGroup learned that it was compromised on November 1, and it took more than a week to admit it was hacked. It appears some people are affected more than others: while some customers just had their names and email addresses exposed, others lost control of more information about themselves and their work situation.

According to PageGroup, no CVs were accessed by the hacker. Of course, if this person could snatch people's details, anyone with the right skills could have done so, too.

"We have ensured the website is secure," PageGroup said in the aforementioned FAQ.

"We are treating this issue very seriously and are working with our IT vendor, Capgemini as a matter of urgency to fully investigate how this incident occurred and to put in place measures to ensure it does not happen again.

"Capgemini fully manage our PageGroup websites and is regarded as a global leader in consulting, technology and outsourcing services. It has all the appropriate security certificates and ISO certifications in place, which we believed would ensure that the website environments would be secure and safe in their hands."

A spokesperson for PageGroup told us the unnamed hacker has since promised they have destroyed the data and the company is "confident that they have done so." To us it sounds like someone discovered a vulnerable server, found out they could exploit it to extract people's information, and then reported it to PageGroup.

Capgemini, which handles a lot of outsourced work for the British government, told The Reg in a statement that it had fully investigated the matter and was satisfied there was no criminal intent in the data loss.

"Our work has established that this was not a malicious attack and we are not aware of any broader dissemination of data or fraudulent activities as a result of the incident," Capgemini said.

"Privacy and security are key priorities for Capgemini and we are reviewing the security procedures and data protection measures we have in place to protect our customers' data and proprietary information." ®

Similar topics

Broader topics

Other stories you might like

  • Experts: AI should be recognized as inventors in patent law
    Plus: Police release deepfake of murdered teen in cold case, and more

    In-brief Governments around the world should pass intellectual property laws that grant rights to AI systems, two academics at the University of New South Wales in Australia argued.

    Alexandra George, and Toby Walsh, professors of law and AI, respectively, believe failing to recognize machines as inventors could have long-lasting impacts on economies and societies. 

    "If courts and governments decide that AI-made inventions cannot be patented, the implications could be huge," they wrote in a comment article published in Nature. "Funders and businesses would be less incentivized to pursue useful research using AI inventors when a return on their investment could be limited. Society could miss out on the development of worthwhile and life-saving inventions."

    Continue reading
  • Declassified and released: More secret files on US govt's emergency doomsday powers
    Nuke incoming? Quick break out the plans for rationing, censorship, property seizures, and more

    More papers describing the orders and messages the US President can issue in the event of apocalyptic crises, such as a devastating nuclear attack, have been declassified and released for all to see.

    These government files are part of a larger collection of records that discuss the nature, reach, and use of secret Presidential Emergency Action Documents: these are executive orders, announcements, and statements to Congress that are all ready to sign and send out as soon as a doomsday scenario occurs. PEADs are supposed to give America's commander-in-chief immediate extraordinary powers to overcome extraordinary events.

    PEADs have never been declassified or revealed before. They remain hush-hush, and their exact details are not publicly known.

    Continue reading
  • Stolen university credentials up for sale by Russian crooks, FBI warns
    Forget dark-web souks, thousands of these are already being traded on public bazaars

    Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

    According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

    "The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

    Continue reading

Biting the hand that feeds IT © 1998–2022