Another major data breach has been disclosed by Troy Hunt. In his words, the breach at global recruitment firm Michael Page has a lot in common with the Australian Red Cross incident. More particularly:
It was the same individual who located the Red Cross data and the same story in terms of discovery an underlying risk on the server end; publicly exposed website, directory listing enabled, .sql files exposed.
The same person contacted Hunt and provided him with a backup file with data on job seekers in the UK. He then evaluated that all the accessible backups has more than 30 GB of raw data. As for the number of people, the UK backup had data on 780,000 people.
The accessed data had the people’s name, email address, (encrypted) password, telephone number, location, information about their current job and covering message (if such was available).
The file I received included table names indicating that as with the Red Cross, this was the output of mysqldump and in this case it contained table names pointing to Acquia, a hosted Drupal platform. Further info followed by way of screen caps indicating various other fields and data snippets that you’d expect people to provide a recruitment company.
Hunt learnt about the breach on October 30. He immediately sent the information to Capgemini, an outsourcing company and Michael Page’s IT provider.
What did Michael Page say about the incident?
We regret to inform you that on 1 November 2016, we were made aware that an unauthorised third party illegally gained online access to a development server used by our IT provider, Capgemini for testing PageGroup websites. We are sorry to tell you that the details you provided as part of your recent website activity have been identified as amongst those accessed.
Michael Page locked down their server immediately. They also secured all possible entry points. A detailed investigation was started and the firm was able to conclude that no data was taken with malicious intent. The company requested the third party to destroy or return all copies of the data. The data was then destroyed, Michael Page says.
The company, however, did not acknowledge the period for which the data was accessible online. It’s also not known whether parties with potentially malicious intent found the data.
Considering the intensity of data breach incidents, Troy Hunt’s advice for companies is to take advantage of bug bounties to fix low-hanging vulnerabilities usually at fault for the incidents.