In the past, we have mentioned ‘bots’ that harvest resumes from job boards in order to build a database of identities for fraudulent use. The Register has an article about a new tool for harvesting identities from job boards.

A Russian gang called Phreak has created an online tool that extracts personal details from CVs posted onto sites including Monster.com, AOL Jobs, Ajcjobs.com, Careerbuilder.com, Careermag.com, Computerjobs.com, Hotjobs.com, Jobcontrolcenter.com, Jobvertise.com and Militaryhire.com. As a result the personal information (names, email addresses, home addresses and current employers) on hundreds of thousands of jobseakers has been placed at risk, according to net security firm PrevX.

The article makes some recommendations on how a job board should block identity harvesting services. The security firm quoted recommends limiting the amount of searches a recruiter can carry out, or by using a “CAPTCHA” (like one of those blurred images when you sign up to a website). Limiting the amount of searches is definitely a good idea. Some of the big job boards have this in place, but it is something that should be considered by all job boards. It is physically impossible for a human to download 50 resumes in two minutes, so why not block (or slow down) users who attempt to do so?

As for the CAPTCHA… it is inconvenient and annoying, slows down and frustrates recruiters. But does it work? For one thing, you’re in a race against hackers who will try to build software to automatically crack your CAPTCHAs. And if that fails, they can always resort to human CAPTCHA crackers getting paid $3 per day. But it an option that could be used as part of a greater security policy. The most important thing is for job sites to realise that harvesting tools like this exist, and to develop a security strategy to protect against them.

They’re coming out of the woodwork now. The latest in the Bank of Ireland saga is that they have admitted that another laptop was stolen… seven years ago.

• 2001: Bank of Ireland laptop gets stolen. Unencrypted, including contact information, dates of birth, addresses, bank account details, medical histories and investments. They tell nobody.
• 2002: ??
• 2003: ??
• 2004: ??
• 2005: ??
• 2006: ??
• 2007: Bank of Ireland laptops stolen on at least four occasions, containing personal information of tens of thousands of people. Unencrypted, including contact information, dates of birth, addresses, bank account details, medical histories and investments.
• 2008: Bank of Ireland admit the theft of four laptops, but initially acknowledge only part of the impact. The media swoops, the public responds, pointy-haired bosses get an earful, and basic policies from Security 101 (like encrypting laptop hard drives) are introduced.

There are a lot of conclusions that could be drawn from this timeline. Here are some of mine:

• The Irish Guild of Laptop Thieves must have called a four year strike between 2002 and 2006 as protest against rising house prices in Ireland.
• Institutions like Bank of Ireland can repeatedly get away with disastrous privacy leaks simply by not telling anyone.
• Nothing ever gets done until it’s in the spotlight and pressure is applied.

Bank of Ireland has once again played down the potential threat of this theft, stressing the fact that the data stolen is seven years old. The HSE files in the field were 25+ years old; it doesn’t matter if the data is old. Data such as name, date of birth, address, bank details, medical history, etc., do not change regularly. And if my details are sitting in a scammer’s database, I don’t care how up to date they are.

Bank of Ireland are playing down the potential threat simply because it is in their interest to minimise this problem - the one they didn’t want to admit to in the first place. We need the Data Protection Commissioner to be informed of these instances when they happen in order to independently investigate and assess the potential threat.

It has been a high profile week for identity theft issues in Ireland. First we heard about the Bank of Ireland laptop data theft, prompting Glandore Systems to call upon the Irish government to introduce mandatory disclosure laws (responding to this breach and others recently, such as Jobs.ie and the Blood Transfusion Service). Somebody at Glandore Systems called “James Gavin” was quoted in the Irish Examiner speaking on the issue - he must be a new hire or something

The need for mandatory breach disclosure was validated only a few days later, as Bank of Ireland have admitted to the issue being much larger than they initially said. Now 30,000 users are affected, from 29 different branches. I will only reiterate that for all we know there could be 300,000 users affected - if the bank has no legal obligation to disclose data theft then how can we expect to know?

Mirroring the disregard that a major Irish bank shows for its customers’ privacy, now we find out that the Health Service Executive has dumped confidential confidential medical files in a field.

The files contain detailed medical histories of people who were treated at Cork Regional Hospital, the hospital now known as Cork University Hospital, and at St Finbarr’s Hospital in the city.

Data includes the names, addresses, dates of birth and medical conditions of patients treated in the 1970s and early 1980s.

The HSE says that it “does not know how many”. Between the Regional Hospital and St. Finbarr’s, that potentially covers just about every Cork person over the age of 25 - including me. Once again, a major institution in Ireland has put the population at risk to identity theft and other fraud. How will the government respond? A bank doesn’t even bother to encrypt its files. The health service dumps confidential files in a field. Institutions like Bank of Ireland and the HSE will only introduce stricter security policies if the government brings in some laws to protect us from their neglect.

Another Cork-based software company, You Get It Back puts things into perspective by using the Washington Post’s estimates to gauge how much a thief can gain from selling personal details on the black market. In the case of the backup tapes that were stolen from the University of Miami last week, it amounts $28 million! With figures like this, even your average laptop thief on the street is going to wake up to the fact that there is big money to be made if you can get your hands on some juicy personal details. Institutions need to be held accountable when they allow theft like that to occur, but they’re never going to be held accountable if they don’t even have to admit to the data loss in the first place!

The theft of four Bank of Ireland laptops containing customers’ names and addresses, medical backgrounds, life assurance details and bank account details is big news at the moment.

The details of 10,000 customers stored unencrypted on a number of laptops that were stolen - one from a BoI branch, and three from cars on separate occasions. I won’t even think about the laptop that is stolen from a branch - if somebody can walk into a bank and steal a laptop then obviously there is a much bigger issue here. But I’m stunned by the theft of laptops from cars - were these sitting on the passenger seat while some guy went in to Spar for his breakfast roll? Many companies train their employees on how to avoid getting their laptop stolen. Some high-tech approaches include putting the laptop into the boot of the car before leaving the office. But when you’re dealing with something as sensitive as we have here, is it even necessary for the information to leave the relative saftey of BoI HQ? Why were employees of the bank carrying such sensitive information around in their car? Why was it not encrypted? The fact that this was allowed to happen in the first place shows a lack of security awareness in the bank, and an inadequate security policy in place.

It gets worse. Justin Mason points out that the breach did not come from the bank at all - it was the DPC who first raised the issue. As we mentioned in relation to the jobs.ie hack, there are currently no laws for mandatory disclosure in Ireland. So if the bank does not take responsibility and inform its victims of the theft (out of good will or otherwise), how can we know that this has not happened before? They have admitted that this is not a once-off; these four laptops were stolen on separate occasions.

So what now for the 10,000 people who now have their medical details compromised? RTE references a statement by Mr Burrows from Bank of Ireland:

Mr Burrows, who was speaking in Belfast at the launch of new bank notes, admitted that the theft had been deeply embarrassing for the bank. But he said the bank is confident that none of the information stored on the computers has been illegally used.

How can the bank be confident that none of the information has been used illegally? They are monitoring the BoI accounts of those 10,000 victims, but do you think the only potential scam is to withdraw money? These thieves are resourceful enough to rob a bank, could we not assume that they’re capable of taking some medical records and personal details and selling them to professional scammers who are far more experienced in matters of fraud than anyone who works at BoI?

The issue here is an underlying lack of responsibility from BoI from start to finish. They were irresponsible when it came to protecting your data. They were irresponsible when they opted not to disclose the breaches initially. And now they’re being irresponsible as they play down the potential impact, moving to dismiss legitimate concerns that victims might have.

BBC’s The Real Hustle is a TV show focusing on how easy it is to be scammed and conned in every day life. This week, the team posed as recruitment consultants, highlighting the trust that job seekers are willing to impart during their job search.

The clip is an eye-opener - “identity theft on a grand scale”. In this episode, the girl gives her passport number and bank statements, which allow the hustlers to apply for mortgages, credit cards, duplicate passports, and birth certificates all in her name. She is not alone, as the other job seekers give their details without question, assuming that the recruitment agency is on their side. The staffing industry is very fragmented with the majority of recruitment companies doing less than $2 million in revenue. With so many small, owner-operated agencies, it is difficult to know who you can trust.

What The Real Hustle describes as “a steady stream of job seekers all willing to divulge their personal details” exists on the internet on a scale a million times larger. Due to the lower barrier to entry for online recruitment sites, without the need to rent an office or put on a suit, the online jobs market is even more fragmented and inherently less trustworthy. Even the most “legit” job sites have shown that, even if they do have your best interests in mind, they do not always take the steps necessary to protect your identity.

People often underestimate the value of information, but even something as inconspicuous as a maiden name is sometimes used as a password for banking. In this video, the girl is asked to choose a 4-digit pin number as part of her application, and she uses the same one as on her bank card. This is often the case with the passwords people choose online. Bad practices, such as storing plain-text passwords, are always going to exist; improving awareness is the key for now.

In light of recent security breaches leading to the theft of thousands of resumes, we are interested in hearing from anyone job seekers who have suffered as a result of one of these privacy breaches. Whether you found yourself added to some spam mailing lists, received fraudulent job offers or phone calls, or became a victim of identity theft, leave a comment or contact us, we would like to hear your story.

The reality is that the job board industry ($14B+) didn’t even exist 10 years ago and was not designed with the individual’s privacy in mind. Resumes are copyrighted material containing personal information that get bought and sold daily often without the owner’s consent. Many job seekers have noticed that their resume has been distributed without consent, modified by recruiters, or stored for long periods of time without adequate concern for the security or privacy of the individual.

In addition to the breach of copyright law, The Federal Bureau of Investigation in the US has pointed out regularly that posting your resume makes it much easier for criminals to find you. The FBI is currently investigating all sorts of cases involving online job scams. The agency actually issued a number of warnings and guidelines to people posting their resumes online. They point you to the internet crime complaint center if you think you have been defrauded online.

Many of the major job boards have procedures in place to prevent fraudsters’ “bots” downloading thousands of CV’s at a time. Monster and Careerbuilder will cap the number of page views and also monitor excessive usage but, in all reality, the damage is often done by the time the warning bell goes off. The simple truth is that anyone with a log in (purchased legally or hacked illegally) can access the information. Resume theft from job boards has been happening all the time and only now is getting any attention from the resume owners. This job board industry is new, has a low barrier to entry, is experiencing tremendous growth, and is generating enormous profits from the corporations who run them. The bottom line is that this industry was never designed to take an individual’s privacy and copyright protection into account.

This issue is the heart of our efforts at Glandore Systems and we want to hear from you. We are working not only to highlight the issue but to present technological solutions and promote strong privacy practices.

Silicon Republic reports that last Thursday, the Irish job board Jobs.ie was hacked, resulting in the illegal theft of a number of resumes. It has become increasingly common for job boards to find themselves targeted by hackers due to the wealth of personal information and contact details, combined with below par security on many of these sites.

“The fact that this information was illegally gathered increases the possibility of it being illegally used. This would include seeking personal loans and credit cards, identity theft, seeking false ID such as a driving licence or birth certificate, and identity cloning.”

Jobs.ie were quick to contact affected users and inform them of the security breach and outlined how to avoid becoming a victim of phishing or email scams that might follow as a result. BH Consulting commends Jobs.ie on their quick response and acknowledgement of the issue in a country where there are mandatory breach disclosure law.

On an international scale, Jobs.ie is a small site. What about the thousands of other job boards out there that don’t have this level of concern for their users? What about the biggest of all - Monster.com? How often does a leak ten times as large as the Jobs.ie breach go undisclosed?

Glandore Systems is working on a solution to eliminate the risk to job-seekers who distribute their resumes online. Anyone who has been affected by a security breach on a job board, or who wants to find out more about how to protect their personal information and guard against identity theft, contact us to learn more.

Recently there have been a number of attempts by job boards at tapping into the Long Tail potential of blogs and widget-enabled social network sites through distributed job advertising. While millions of blogs, forums, social networks, and other websites have been living off the revenue sharing from Google Adsense, so far nobody has come up with a good solution for distributing job postings. SnapTalent launched today, looking smarter than other efforts made in this area (including Monster’s Career Ad Network).

Promising to help you reach higher quality hand-picked candidates that would never have discovered your company otherwise, SnapTalent ultimately consists of little more than small preview of a job advertisement in a web page, expanding to a larger version with more information that supports images and embedded video (from YouTube, Google Video, and Vimeo). The value of the service depends on where the ad is shown, so if a lot of website owners sign up and participate then it will open up new opportunities for recruiters who understand their target market.

In 2007, it became common for popular bloggers and news sites to launch a job board. For example, Joel Spolsky, has a niche job board affiliated with his software blog which sees regular postings at a cost of $350 per job and gives you access to the highly targeted demographic that frequents his site. SnapTalent goes a step further by integrating the job advertising into the page itself. Consider that the tech news site TechCrunch is currently the most requested advertising destination on SnapTalent, despite already having a traditional job board attached. It reflects the fact that many of the really good quality candidates (both active and passive) never take the time to visit a job board.

Other advantages for advertisers include the ability to pre-pay for clicks rather than per posting. A cost $250 for every 500 clicks sounds like good value, although I prefer to see more intelligent billing system (e.g., based on salary or competitiveness like Adsense). A portion of the money goes to the website owner, and there should be no shortage of site owners participating as long as this pays better than AdSense.

I did encounter some bugs and JavaScript errors while using the site itself, but I’m sure these will be ironed out soon. Critically, the ads look good. They are customizable, with unobtrusive popups. SnapTalent’s main selling point could end up being the ability to analyze and improve targeting of the jobs, ultimately leading to higher quality candidates and better efficiency overall. SnapTalent does not revolutionize internet recruiting, but it is another step in the right direction and is worth keeping an eye on.

I attended Staffing Industry’s Executive Forum in Las Vegas this past week. The SI Exec Forum is particularly successful in bringing together public company staffing executives and owners of fast growing private staffing firms. This year, the SI planners chose to locate the event 20 miles from the Las Vegas strip ($50 cab ride each way) which therefore resulted in record attendance of all the events, an unusual occurrence for a Las Vegas conference. Not sure if that was strategic on their part, or whether they simply went for the cheaper resort, but either way it probably saved me considerable gambling losses due to the inconvenience of the location relative to the strip. Kudos to you Staffing Industry, Inc.

A big buzz at the conference was the relatively new concept of the offshore RPO and I had the opportunity to meet some of the industry leaders in that field. Christopher Even, Director of Global Marketing from RPO Worldwide and Aaron Green, President of PSG, both provided an informative and compelling discussion of opportunities and challenges that exist with offshore RPO. The opportunities as one would expect is the ability to leverage a low cost workforce and the bulk of the challenges centered around communication and integrating the offshore component to one’s onshore team as seamlessly as possible.

I asked the panel how they go about measuring the service’s effectiveness and potential ROI for their customers and was extremely encouraged by their response. Ok, clearly it was a loaded question as one of Glandore Systems’ flag ship products does exactly this in real time. Instead, I was told that one needs to give the offshore partnership time to evaluate it (30 day hypothetical scenario I gave was dismissed as being much too short a time to be able to measure it’s ROI). The panel’s response indicated to me that one of Glandore Systems’ technology solutions for offshore RPO’s represents an eminently large market opportunity. The offshore RPO industry is clearly is in its infancy and congrats to Chris and Aaron for forging the way with the services and infrastructure.

Today we launched our new website and company blog (proudly powered by Wordpress - the “state-of-the-art semantic personal publishing platform”).

These are exciting times for the industry. Over the past few years, the increasingly central role of the internet in the hiring process has been supported by advancements in technology that paved the way for innovation and better practices across the board. On this blog, we’ll be keeping an eye on how the industry evolves to make the most of the tools available, and keeping you up to date on what we’re working on at Glandore Systems.

Please feel free to join the discussion and leave a comment or contact us. Don’t forget to subscribe to get these updates as they happen.