[BreachExchange] Recruitment giant PageGroup hacked, Capgemini dev server blamed for info leak

Audrey McNeil audrey at riskbasedsecurity.com
Fri Nov 11 14:05:02 EST 2016


http://www.theregister.co.uk/2016/11/11/capgemini_pagegroup_leak/

Global recruitment giant PageGroup says a hacker infiltrated its network
and accessed job applicants' personal information.

The miscreant broke into a development system run by IT outsourcer
Capgemini for PageGroup, and was able to look up job hunters' names, email
addresses, hashed passwords and more. UK-headquartered PageGroup and
Capgemini both told The Register they believe the miscreant who slipped
into its system had no malicious intent.

In alerts emailed to customers on Thursday – messages seen by El Reg –
PageGroup warned that their records were obtained illegally by an
unauthorized third party. Here's the text of one email sent on Thursday
evening, UK time:

We regret to inform you that on 1 November 2016, we were made aware that an
unauthorised third party illegally gained online access to a development
server used by our IT provider, Capgemini for testing PageGroup websites.

We are sorry to tell you that the details you provided as part of your
recent website activity have been identified as amongst those accessed. We
know people care deeply about their data being protected so wanted you to
hear this from us.

Since we identified that your data was accessed, we have worked non-stop to
fix this issue with Capgemini, who are a global leader in consulting,
technology and outsourcing services. We immediately locked down our servers
and secured all possible entry points to them. We carried out a detailed
investigation into the nature of what happened. To reassure you, we know
that the data was not taken with any malicious intent. We have requested
that the third-party destroys or returns all copies of the data. They have
confirmed that they have already destroyed it and we are confident that
they have done so.

The data fields which were accessed are:

First name
Last name
Email address
Password – please note this is encrypted into a code and not readable by
any third-party so there’s no need to change your password
Telephone number
Location
The sector you told us you work in
The sub sector you told us you work in
Job type
Current job (only when applying via LinkedIn)
Your covering message (optional field)

PageGroup has always placed the highest priority on data security and so
this breach of data is deeply disappointing and of serious concern. We will
continue to work to understand fully how the breach has occurred and to
ensure it does not happen again. For more information please visit our FAQ
page here (http://www.michaelpage.co.uk/data-incident-faqs).

PageGroup learned that it was compromised on November 1, and it took more
than a week to admit it was hacked. It appears some people are affected
more than others: while some customers just had their names and email
addresses exposed, others lost control of more information about themselves
and their work situation.

According to PageGroup, no CVs were accessed by the hacker. Of course, if
this person could snatch people's details, anyone with the right skills
could have done so, too.

"We have ensured the website is secure," PageGroup said in the
aforementioned FAQ.

"We are treating this issue very seriously and are working with our IT
vendor, Capgemini as a matter of urgency to fully investigate how this
incident occurred and to put in place measures to ensure it does not happen
again.

"Capgemini fully manage our PageGroup websites and is regarded as a global
leader in consulting, technology and outsourcing services. It has all the
appropriate security certificates and ISO certifications in place, which we
believed would ensure that the website environments would be secure and
safe in their hands."

A spokesperson for PageGroup told us the unnamed hacker has since promised
they have destroyed the data and the company is "confident that they have
done so." To us it sounds like someone discovered a vulnerable server,
found out they could exploit it to extract people's information, and then
reported it to PageGroup.

Capgemini, which handles a lot of outsourced work for the British
government, told The Reg in a statement that it had fully investigated the
matter and was satisfied there was no criminal intent in the data loss.

"Our work has established that this was not a malicious attack and we are
not aware of any broader dissemination of data or fraudulent activities as
a result of the incident," Capgemini said.

"Privacy and security are key priorities for Capgemini and we are reviewing
the security procedures and data protection measures we have in place to
protect our customers' data and proprietary information."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161111/7068a8fc/attachment.html>


More information about the BreachExchange mailing list