Recruitment Grapevine: 13m profiles at risk following data breach

An extract from another interesting guide article from Jade Burke at Recruitment Grapevine around data breaches. 

With GDPR very much at the forefront of everyone’s minds, recruiters have actively made changes to ensure they are not breaking the law when it comes to data privacy.

However, one recruitment website has come under fire after it exposed millions of user profiles.

US job recruitment site Ladders, which specialises in high-end jobs, has revealed more than 13.7 million user records following a security lapse, reports TechCrunch.

According to reports, the New York-based company left an Amazon i-hosted Elasticsearch database exposed without a password, leaving the data accessible to anyone.

Sanyam Jain, a security researcher and a member of the GDI Foundation, a nonprofit aimed at securing exposed or leaking data, discovered the database and reported the findings to TechCrunch, in a bid to recover the leaked information.

Marc Cenedella, Chief Executive of Ladders, said: “AWS confirms that our AWS Managed Elastic Search is secure and is only accessible by Ladders employees at indicated IP addresses. We will look into this potential theft and would appreciate your assistance in doing so.”

Each record that was exposed included information such as names, email addresses and individual employment histories such as job titles and previous employers.

In addition, the leaked data contained details about the industry they’re seeking a job in and their current desired salary in US dollars.

After the breach, TechCrunch verified the data by reaching out to a dozen users of the site, who confirmed their data matched their Ladders profile. One user revealed that they are ‘not using the site anymore’ following the breach.

Around 379,000 recruiters’ information was also revealed, although the data wasn’t as sensitive as the user profiles, which also included details on whether they are a US citizen or not.

Users’ phone numbers, postal addresses and an approximate geolocation based off their IP address were also exposed.

How you can protect data:

GDPR is a scary subject for many, however, ensuring you are GDPR compliant and meeting every law requirement is essential for all recruiters. To ensure you are not in danger of leaking any user profiles, follow these simple tips Dave Devloo, Lawyer and Data Protection Officer at Devloo Solicitors, previously shared with sister site HR Grapevine:

  • Create awareness of GDPR in your company and among your employees. Make them aware that there are obligations and rights involved when dealing with personal data.

  • Start a data register in which you make note of all your data processing activities and processes. This will give you a clear overview and allows companies to identify high-risk areas or gaps that need filling.

  • The accountability obligation: keep a trail of evidence, a sort of GDPR road map for your company. For example, if you’ve taken a course or training, put your certificate in the folder. Have you put extra security measures in place? Update it in your GDPR folder and keep everything in one place.

  • Recruitment Grapevine: 13m profiles at risk following rec site's data breach.