There has been several articles and news items about data leaks in the couple of months.  Facebook was again in the news with some 540 million records left exposed, including: account names, IDs and even details about Comments and reaction to Posts.  So this is very topical area. In this post we are  going to concern ourselves with HR type data (we have a more broader post in the works for publishing later in the year). And specifcally with how HR related data is/has been held by HR and Recruitment Agencies.

The latest reports concerning HR breaches that we have seen were published by ZDNet.  But if you look for news items on the internet they are easy to find.

So what are we talking about?

Well most of the issues come down to some HR and Recruitment Agencies being rather slapdash and careless with candidate data.  ZDNet found 7 instances over the last few months. However over the last few years there have been plenty of others too.

What sort of scale are we talking about?

Well in total, ZDNet's security researcher came up with a total of 590 million CVs (resumes) that have either been leaked or have been put on servers that have not been secured.  So that is a lot of CVs  though no doubt there will be duplicates in this.  But still, this is information leakage on a grand scale.  Whilst the examples given were Chinese, they also include recruitment activity covering many western firms.  So the effects went beyond China itself.

Who has been leaking?

Well we would love to list the firms.  However, right now everyone is keeping quiet about that.  Some of these leaks were only found about about relatively recently and may not have been secured yet.  The ZDNet instances in the news were all from Chinese based firms.  The instances concerned were all reported to the Chia National Computer Emergency Response Team, who to be fair seem to be taking action.

In 2017 a Hong Kong based executive search firm "AimHigher" was put under investigation for an alleged leak. In this case the firm were not - from what we are aware of - actively selling candidate data.  It is just their systems were inherently insecure.   As an example, the links to CVs were publicly available and unsecured i.e if you knew or could guess the URL address and ID, anyone could simply click on the link and access the CV record.

We ourselves have come across a few instances where we have replaced systems and processes that we might be best described as having "very relaxed security".  So we know it happens. 

If it is just a CV - what is the big deal?

Ok, you may have posted your CV on Job Boards, sent them to recruiters and you probably use Linkedin.  So does this really matter?  For a start, many of these records hold not the just the CV but also the recruiters profile of the candidate.  This includes the substance of discussions round why candidates might be looking for a job and what clients may have thought of them when they were presented. Perhaps not the sort of details you would want exposed on the internet.

Most reputable Job Boards, encourage candidates to submit CV's with details that don't have personally identifiable information on them.  Key items of information like; Date of Birth and Place of Birth, not being included.  This is important, as this level of information is exactly what data hackers are after.  It gives them enough background information that they may be able to pass themselves off as you on other perhaps more important systems.  

So what can you do about it?

Well there is no solid answer.  But a good start is to take care when sending your personal data out to any and all agencies.  We would suggest that the bigger ones, those who do much of their business in countries with strong data protection legislation and compliance will - we suggest - likely be safe.  The GDPR (General Data Protection Regulation) in Europe has really focussed minds on how data is used and secured. However if you are dealing with a small HR or Recruitment  agency who "has their own systems" then perhaps you should be more circumspect.  Ask them how your data will be held and for any security compliance.  If it does not sound solid then we suggest you should carefully consider the risks.