[BreachExchange] UK data watchdog eyeballs Virgin Media after 50, 000 CVs exposed online

Tue Oct 25 20:32:44 EDT 2016

http://arstechnica.co.uk/security/2016/10/virgin-media-
50000-cv-applicants-exposed-ico/

Virgin Media could face a data breach probe after a job hunter uploaded his
CV to the cable firm's graduate recruitment site and discovered he had
access to as many as 50,000 past and present CVs from fellow applicants.

The Information Commissioner's Office told Ars on Tuesday morning that it
was looking at the sizeable data gaffe.

Student Alikhan Uzakov reported the flaw to Virgin Media, which
subsequently plugged the hole in the site. Uzakov then went public with his
findings a couple of days ago. He wrote:

"Whilst I was filling out an application form for Virgin Media, I was
offered the option to see my uploaded CV. What happened was quite
surprising, the URL revealed a directory (folder) where my CV was stored.

"When I opened the directory I was able to see all past and present
applications. This was a broken access control. In layman terms this means
that access to certain data was allowed without authorisation."

According to Uzakov, "about 30,000–50,000 applications, past and present,
were accessible," and personal information that included phone numbers,
e-mails, and home addresses "were out there in the open." He said he had
originally attempted to report the issue via Twitter, but received no
response until he put a call into Virgin Media's London office a day later.

A spokesperson for Virgin Media—who didn't quibble with the 50,000 CVs
figure—told Ars that applications for its graduate scheme had been managed
by an unnamed third party, confirmed that the botch-job had now been fixed,
and that it had reported the matter to the ICO. The company said:

"Virgin Media works with a third party that provides an online application
service for graduates wishing to apply for Virgin Media jobs.

"After a vulnerability on the third party company’s website was identified,
the website was suspended while the issue was fixed. The service has now
resumed. Virgin Media’s systems were not affected in any way."

Campus Futures currently manages VM's graduate recruitment programme. The
outfit says it collects information on behalf of the telco, but it doesn't
provide any link to its privacy policy to confirm compliance with data
protection law when an applicant initially uploads their CV via the site.
Ars has sought comment from Campus Futures and will update this story if it
responds to our questions.

An ICO spokesperson told Ars that it was examining whether Virgin Media may
have broken the Data Protection Act, saying:

"The law requires organisations to keep any personal information they hold
secure. We are aware of an incident involving Virgin Media and personal
data from CVs being publicly available online. We are looking into the
details."

Uzakov said that while Virgin Media did thank him for spotting the flaw, he
wouldn't be officially recognised for his findings, or be given preference
over other applicants to the grad scheme "since it’s unfair."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161025/1ecf3d00/attachment.html>