Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Capgemini Leaks Data of Recruitment Firm PageGroup

Job-related information belonging to hundreds of thousands of individuals was exposed online after Capgemini inadvertently made public a database of Michael Page, a brand of UK-based global recruitment company PageGroup.

Job-related information belonging to hundreds of thousands of individuals was exposed online after Capgemini inadvertently made public a database of Michael Page, a brand of UK-based global recruitment company PageGroup.

France-based Capgemini, which last year had a revenue of nearly 12 billion euros, specializes in consulting, technology and outsourcing services. The company, contracted by the recruitment giant for IT services, unintentionally exposed a Michael Page backup database containing an estimated 30 Gb of SQL files that could have been accessed by anyone who knew what to look for.

The leak was brought to the attention of Australian security expert Troy Hunt by an individual who last month discovered a similar leak involving the Australian Red Cross Blood Service. The personal details of 550,000 individuals were exposed in the Red Cross incident.

After investigating the leak, PageGroup and Capgemini determined that the data was posted to a development server used for testing PageGroup websites. The recruitment firm notified customers that names, email addresses, encrypted passwords, phone numbers and job-related information was exposed in the incident.

Hunt said a single one of the database files contained 780,000 unique email addresses and other job details. The expert learned about the leak in late October, but waited until now to make it public to give the affected companies enough time to address the issue.

PageGroup believes the data is unlikely to be misused since it appears that only Hunt and the individual who tipped him off accessed it, and they both claim to have destroyed all the copies they had. The company told affected customers that they don’t need to change their passwords.

“We have ensured the website is secure. We are treating this issue very seriously and are working with our IT vendor, Capgemini as a matter of urgency to fully investigate how this incident occurred and to put in place measures to ensure it does not happen again,” PageGroup stated. “Capgemini fully manage our PageGroup websites and is regarded as a global leader in consulting, technology and outsourcing services. It has all the appropriate security certificates and ISO certifications in place, which we believed would ensure that the website environments would be secure and safe in their hands.”

Hunt pointed out that organizations of all sizes can be affected by serious vulnerabilities. The expert believes companies could avoid such incidents by running bug bounty programs, which have been increasingly popular among both public and private organizations.

“These were such low-hanging vulnerabilities that had there been even the slightest inkling of incentivisation, they would have been found very quickly and reported ethically via a channel that researches could trust,” Hunt commented.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...

Cybercrime

A database containing over 235 million unique records of Twitter users is now available for free on the web, cybercrime intelligence firm Hudson Rock...

Application Security

Software maker Adobe on Tuesday released security patches for 29 documented vulnerabilities across multiple enterprise-facing products and warned that hackers could exploit these bugs...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...