On Thursday, it emerged that an outsourcing company named Capgemini had left a database containing sensitive information on the open internet, exposing the names, contact details, resumes, and other personal information of potentially millions of people who used a global recruiting firm.
The episode highlights the lingering problem of organizations accidentally leaving sensitive data which is accessible to anyone with an internet connection, even though hackers and other third parties regularly, and automatically, scan the internet for such databases.
"We regret to inform you that on 1 November 2016, we were made aware that an unauthorised third party illegally gained online access to a development server used by our IT provider," an email from Michael Page, a recruitment website, sent to users, reads.
Michael Page describes itself as "one of the world's leading professional recruitment consultancies" on its website. The data, however, was exposed by Capgemini, a consulting and outsourcing firm.
Troy Hunt, a security researcher and owner of the breach notification site Have I Been Pwned?, first heard of the exposed data when a hacker approached him with a screenshot showing folders allegedly containing files on dozens of countries, and provided him with a sample of the obtained data.
"Just the UK file was 780,000 people, and when you look at the list of how many countries are in there, and how big the UK is compared to everything else, you would assume that it's lots of millions, if not more than ten million," Hunt told Motherboard in a phone call.
According to a screenshot published by Hunt on his blog, the database includes fields such as current job, sector, job type, current salary, and contact information. Applicants cover letters were also included in the data, Hunt writes.
"I think the most noteworthy thing is the ease of which it was obtained," Hunt told Motherboard, and added that he may not even call this data breach, because of the fact the information was exposed to the open internet.
This problem has been an issue for a spread of different organizations. A group recently left a copy of Thomson Reuters' terrorism and financial risk database online for anyone to download, and as Hunt recently found, a large database of Red Cross data was found online. (The same hacker who approached Hunt with the Red Cross data also found this Michael Page data).
"We don't know, we don't know," who has had access to this data, Hunt said. But, hackers do automatically scan the internet for open databases; meaning there is a good chance that someone else may have come across it.
The lesson: Companies, unfortunately, repeatedly expose their customer data online. The biggest lesson to learn here, both for users and companies, is that if data is exposed on the internet, someone will find it. The idea that the internet is so big that hackers won't come across your database is, to be blunt, wrong. Whether it's a database or a vulnerable server, hackers will find, and will exploit, whatever is exposed.