[BreachExchange] Open AWS buckets expose more than 200K CVs at two online recruitment firms

Destry Winant destry at riskbasedsecurity.com
Fri Oct 18 09:58:49 EDT 2019 

https://www.scmagazine.com/home/security-news/cloud-security/open-aws-buckets-expose-more-than-200k-cvs-at-two-online-recruitment-firms/

Authentic Jobs, used by the likes of the New York Times and EY, took
the biggest hit with 221,130 CVs exposed to the public, according to a
SkyNews report. At Sonic Jobs, which specializes in recruitment for
retail and restaurant jobs and is used by hotel chains Marriott and
InterContinental, had at least 29,202 CVs made publicly accessible.

“When you apply for a job, you share sensitive personal data with the
jobs board and the companies to which you’re applying. It’s their
responsibility to protect that information from disclosure,” said Tim
Erlin, vice president, product management and strategy at Tripwire.

Among the information potentially exposed are names, addresses, job
histories and phone numbers.

“An unfortunate consequence of this is that more than 200,000 CVs have
now been exposed online,” said Nominet Vice President Stuart Reed.
“Even more worrying is that Amazon buckets come secure by default, so
these companies have changed the settings at some point to allow
anyone to view their data; demonstrating a significant lack of
security understanding and best practice procedures.”

Reed said that two online recruitment firms exposed “shows that it’s
not an isolated case.”

Organizations that use “cloud storage must regularly audit the
permissions to ensure these kinds of breaches don’t happen,” Erlin
said.

That includes raising awareness of potential security weakpoints when
it comes to protecting data, particularly in the cloud. “Poor
awareness has led to the exposure of sensitive information, which
could now be used for a range of further criminal activities,” said
Reed, noting the widened digital surface of attack in cloud
environments. “Regardless of the security that cloud services deliver,
companies need to take responsibility and ensure they have a
multi-layered approach to their security; including people, processes
and technology.”

More information about the BreachExchange mailing list