Jobs.ie Hacked - Anyone Else?
March 31st, 2008 by James
Silicon Republic reports that last Thursday, the Irish job board Jobs.ie was hacked, resulting in the illegal theft of a number of resumes. It has become increasingly common for job boards to find themselves targeted by hackers due to the wealth of personal information and contact details, combined with below par security on many of these sites.
“The fact that this information was illegally gathered increases the possibility of it being illegally used. This would include seeking personal loans and credit cards, identity theft, seeking false ID such as a driving licence or birth certificate, and identity cloning.”
Jobs.ie were quick to contact affected users and inform them of the security breach and outlined how to avoid becoming a victim of phishing or email scams that might follow as a result. BH Consulting commends Jobs.ie on their quick response and acknowledgement of the issue in a country where there are mandatory breach disclosure law.
On an international scale, Jobs.ie is a small site. What about the thousands of other job boards out there that don’t have this level of concern for their users? What about the biggest of all - Monster.com? How often does a leak ten times as large as the Jobs.ie breach go undisclosed?
Glandore Systems is working on a solution to eliminate the risk to job-seekers who distribute their resumes online. Anyone who has been affected by a security breach on a job board, or who wants to find out more about how to protect their personal information and guard against identity theft, contact us to learn more.
March 31st, 2008 at 8:16 pm
James, I would be interested to hear what you do. Currently we run jobberbase on http://www.jobsinireland.org , which sends the CVs direct to the employers. It’s a simple approach, but it works !
paul
March 31st, 2008 at 8:17 pm
And they aer not the first and teh only one…
Ivan | http://www.JobsBlog.ie
March 31st, 2008 at 11:56 pm
Ivan - wow, that Irishgradjobs.ie security flaw looks very bad - all of the resumes open in a publicly accessible folder. You are dead right in the post on your blog - there are so many job boards springing up over the past two years, far too many of them cut corners on the application development and pay little attention to security. Even medium sized job boards often do not have software developers on staff who can identify and patch security flaws when they do happen.
Paul - you send the CVs direct to the employer, do you store a copy online? If not, then you have saved yourself a lot of potential headache - as they say, the only 100% secure database is the one that doesn’t exist
April 1st, 2008 at 7:50 am
James : Technically the CVs are uploaded, and then deleted. The upload folder is protected by .htaccess in case anyone looks at it at the right/wrong time and tries to download the CV.
April 1st, 2008 at 9:36 am
Paul, that’s what I mean. There are other ways of getting to the data than accessing an open directory, and the easiest way is the Monster way - by hijacking an employer’s account. By giving full search functionality to all employers, all it takes is for someone to break into an account (there are lots of ways - a brute force attack, social engineering, session hijacking, SQL injection, etc.) and they can use a bot to automatically download thousands of CVs in seconds.
I don’t know how many of the major job boards are protecting against this yet. One mode of protection would be to limit the number of CVs that any one account could download in a minute to protect against scripts. Breaches of this nature happen every day but are rarely disclosed, let alone making it to the newspaper.
April 1st, 2008 at 11:38 am
I think it is also possible to move the upload directory to a non-web-accessible folder, that might be a better idea.
But you are right, these people will go to any lengths to try and break into information rich databases. Having emails/phone numbers/backgrounds of people and addresses is a good start at the whole identity theft idea.
I’m guessing that Jobs.ie did have some way of detecting the break in, maybe it was a counter for checking how many CVs were being downloaded. On Boards.ie someone mentions that up to 60k CVs could have been compromised.
paul
April 1st, 2008 at 2:09 pm
[…] Contact « Jobs.ie Hacked - Anyone Else? […]
April 2nd, 2008 at 4:02 pm
Well when you get someone from a far away country that you are not too sure what continent is it on, paying with the credit card of a resident in the US, usually a very young one, subscribing to your CV database online,… as a manager of a job board, should act as a safe keeper of the users data, and should not think about the revenue that you can make quickly there.
Monster had it, Jobs.ie had it, and LoadzaJobs.ie was offline the whole day yesterday!!!
Just a bit too greedy….
Ivan
April 6th, 2008 at 9:32 pm
I am one of the people who’s CV/resume was apparently illegally downloaded. I was horrified at this. I do not have a bebo, myspace facebook or any other social networking type site that puts your information on the internet. I just wanted a job. I also tried to delet my account but all I could do was delete my CV and change my account, very poor! I have to now put up a further secure warning in my bank, I got a call from a recruitment agency, perhaps that is who downloaded the CVs. Besides all my complaining, I would like to know what exaclty will happen with my details?and why my cv it was awful!!!!!.
Alison