[BreachExchange] Seek apologises for 'internal technical issue' that exposed user details

Thu Aug 13 10:17:58 EDT 2020

https://www.zdnet.com/article/seek-apologises-for-internal-technical-issue-that-exposed-user-details/

 Job search engine Seek confirmed while it suffered an "internal
technical issue" on Monday, which resulted in the exposure of other
candidate details when they were logged into their Seek Profiles, it
does not view the incident as a notifiable data breach and will not be
reporting it to the Office of Australian Information Commissioner
(OAIC).

"We identified an internal technical issue that occurred during a
23-minute period on Monday 10 August 2020," the company told ZDNet.

"During that time period, due to a cache error, incorrect information
such as career history and education was able to be viewed across
profiles logged in at that time."

The data breach was highlighted in a Reddit thread when one user
posted how they could view other users' profiles while logged into
their own account.

Seek however, assured that no names, contact details, or resumes of
candidates in Seek profiles were impacted.

The error impacted fewer than 2,000 Seek profiles, the company said,
adding 206 job applications that were being submitted during the
period were also affected.

Need to disclose a breach? Read this: Notifiable Data Breaches scheme:
Getting ready to disclose a data breach in Australia

"This involved incorrect details relating to the most recent role a
candidate held being included within their job application. Again,
this did not include information from the name, contact details or
email address fields, nor did it impact any resumes sent as part of
job applications," Seek said.

Seek said the "technical issue" was identified and corrected quickly,
and all affected candidates and hirers have since been contacted.

"We sincerely apologise for any inconvenience caused," the company stated.

Given a "very limited" amount of information from candidate profiles
were exposed, the job search engine said it will not be reporting the
incident to the OAIC.

"Given that this incident involved a very limited amount of
information from candidate profiles being inadvertently shown to other
candidates, who happened to be logged into the website during the
brief period of time during which this occurred, the incident is not a
notifiable data breach and therefore one that did not require
reporting to the OAIC," Seek told ZDNet.

"Notwithstanding this, Seek takes our candidates' s privacy seriously
and has contacted all candidates affected by this incident as well as
conducted significant due diligence to determine the cause and impact
as well as remedial/preventive step to be taken."

Under the Notifiable Data Breaches scheme, agencies and organisations
in Australia that are covered by the Privacy Act are required to
notify individuals whose personal information is involved in a data
breach that is likely to result in "serious harm" as soon as
practicable after becoming aware of a breach.

Last month, the OAIC revealed the number of reported data breaches in
Australia for the 2019-20 financial year totalled 1,050.

For the six months spanning January to June 2020, 518 breaches were
notified under the Notifiable Data Breaches (NDB) scheme, down 3% from
the 532 reported in July to December 2019.

Data breaches resulting from human error was the case for 176 breaches
from January through June, with personal information sent to the wrong
recipient via email accounting for 68 of those cases. In two cases, a
fax with personal information was sent to the wrong recipient.

There was a loss of paperwork or storage device on 14 of the reported occasions.