Tens of thousands of jobseekers have had their personal information exposed by a misconfigured cloud account, according to researchers.
A team at Website Planet discovered the AWS S3 bucket left unprotected and unsecured by FastTrack Reflex Recruitment, now TeamBMS.
The firm apparently specializes in recruitment for the building management systems sector, for projects including skyscrapers 22 Bishopsgate and The Shard, Wembley Stadium and the Olympic Stadium, Heathrow Terminal 5 and Crossrail stations.
The 5GB trove contained 21,000 files including CVs featuring personal information such as email addresses, full names, mobile phone numbers, home addresses and social network URLs. Other details included dates of birth, passport numbers and applicant photos, according to Website Planet.
The research team believes that TeamBMS’s IT service provider may have been to blame for the privacy snafu.
If found by threat actors, the data could have been used to commit follow-on identity theft and fraud, and craft phishing attacks designed to steal more personal details or deploy malware.
Website Planet also claimed that the information contained in the bucket could have been used for corporate espionage or to target victims’ homes for burglary.
The research team discovered the leak on December 29 last year, and reached out several times to TeamBMS’s parent company TeamResourcing as well as to the UK CERT. The bucket was finally secured on March 23.
Not only those impacted by the leak but the company itself should be on guard for any suspicious activity going forward, Website Planet claimed.
“FastTrack, and anyone else implicated in this breach, should be vigilant when receiving calls from parties claiming to be clients or associates. In which case, businesses must implement strategies to confidently identify these individuals,” it said.
“It’s crucial that FastTrack, as well as any businesses at-risk of this exposure, implements stringent security measures when storing customer data. Businesses should hire a cybersecurity professional, to be sure that customer data is adequately protected.”