Software Solutions for the Human Capital Industry

In the past, we have mentioned ‘bots’ that harvest resumes from job boards in order to build a database of identities for fraudulent use. The Register has an article about a new tool for harvesting identities from job boards.

A Russian gang called Phreak has created an online tool that extracts personal details from CVs posted onto sites including Monster.com, AOL Jobs, Ajcjobs.com, Careerbuilder.com, Careermag.com, Computerjobs.com, Hotjobs.com, Jobcontrolcenter.com, Jobvertise.com and Militaryhire.com. As a result the personal information (names, email addresses, home addresses and current employers) on hundreds of thousands of jobseakers has been placed at risk, according to net security firm PrevX.

The article makes some recommendations on how a job board should block identity harvesting services. The security firm quoted recommends limiting the amount of searches a recruiter can carry out, or by using a “CAPTCHA” (like one of those blurred images when you sign up to a website). Limiting the amount of searches is definitely a good idea. Some of the big job boards have this in place, but it is something that should be considered by all job boards. It is physically impossible for a human to download 50 resumes in two minutes, so why not block (or slow down) users who attempt to do so?

As for the CAPTCHA… it is inconvenient and annoying, slows down and frustrates recruiters. But does it work? For one thing, you’re in a race against hackers who will try to build software to automatically crack your CAPTCHAs. And if that fails, they can always resort to human CAPTCHA crackers getting paid $3 per day. But it an option that could be used as part of a greater security policy. The most important thing is for job sites to realise that harvesting tools like this exist, and to develop a security strategy to protect against them.

They’re coming out of the woodwork now. The latest in the Bank of Ireland saga is that they have admitted that another laptop was stolen… seven years ago.

• 2001: Bank of Ireland laptop gets stolen. Unencrypted, including contact information, dates of birth, addresses, bank account details, medical histories and investments. They tell nobody.
• 2002: ??
• 2003: ??
• 2004: ??
• 2005: ??
• 2006: ??
• 2007: Bank of Ireland laptops stolen on at least four occasions, containing personal information of tens of thousands of people. Unencrypted, including contact information, dates of birth, addresses, bank account details, medical histories and investments.
• 2008: Bank of Ireland admit the theft of four laptops, but initially acknowledge only part of the impact. The media swoops, the public responds, pointy-haired bosses get an earful, and basic policies from Security 101 (like encrypting laptop hard drives) are introduced.

There are a lot of conclusions that could be drawn from this timeline. Here are some of mine:

• The Irish Guild of Laptop Thieves must have called a four year strike between 2002 and 2006 as protest against rising house prices in Ireland.
• Institutions like Bank of Ireland can repeatedly get away with disastrous privacy leaks simply by not telling anyone.
• Nothing ever gets done until it’s in the spotlight and pressure is applied.

Bank of Ireland has once again played down the potential threat of this theft, stressing the fact that the data stolen is seven years old. The HSE files in the field were 25+ years old; it doesn’t matter if the data is old. Data such as name, date of birth, address, bank details, medical history, etc., do not change regularly. And if my details are sitting in a scammer’s database, I don’t care how up to date they are.

Bank of Ireland are playing down the potential threat simply because it is in their interest to minimise this problem - the one they didn’t want to admit to in the first place. We need the Data Protection Commissioner to be informed of these instances when they happen in order to independently investigate and assess the potential threat.

It has been a high profile week for identity theft issues in Ireland. First we heard about the Bank of Ireland laptop data theft, prompting Glandore Systems to call upon the Irish government to introduce mandatory disclosure laws (responding to this breach and others recently, such as Jobs.ie and the Blood Transfusion Service). Somebody at Glandore Systems called “James Gavin” was quoted in the Irish Examiner speaking on the issue - he must be a new hire or something

The need for mandatory breach disclosure was validated only a few days later, as Bank of Ireland have admitted to the issue being much larger than they initially said. Now 30,000 users are affected, from 29 different branches. I will only reiterate that for all we know there could be 300,000 users affected - if the bank has no legal obligation to disclose data theft then how can we expect to know?

Mirroring the disregard that a major Irish bank shows for its customers’ privacy, now we find out that the Health Service Executive has dumped confidential confidential medical files in a field.

The files contain detailed medical histories of people who were treated at Cork Regional Hospital, the hospital now known as Cork University Hospital, and at St Finbarr’s Hospital in the city.

Data includes the names, addresses, dates of birth and medical conditions of patients treated in the 1970s and early 1980s.

The HSE says that it “does not know how many”. Between the Regional Hospital and St. Finbarr’s, that potentially covers just about every Cork person over the age of 25 - including me. Once again, a major institution in Ireland has put the population at risk to identity theft and other fraud. How will the government respond? A bank doesn’t even bother to encrypt its files. The health service dumps confidential files in a field. Institutions like Bank of Ireland and the HSE will only introduce stricter security policies if the government brings in some laws to protect us from their neglect.

Another Cork-based software company, You Get It Back puts things into perspective by using the Washington Post’s estimates to gauge how much a thief can gain from selling personal details on the black market. In the case of the backup tapes that were stolen from the University of Miami last week, it amounts $28 million! With figures like this, even your average laptop thief on the street is going to wake up to the fact that there is big money to be made if you can get your hands on some juicy personal details. Institutions need to be held accountable when they allow theft like that to occur, but they’re never going to be held accountable if they don’t even have to admit to the data loss in the first place!

The theft of four Bank of Ireland laptops containing customers’ names and addresses, medical backgrounds, life assurance details and bank account details is big news at the moment.

The details of 10,000 customers stored unencrypted on a number of laptops that were stolen - one from a BoI branch, and three from cars on separate occasions. I won’t even think about the laptop that is stolen from a branch - if somebody can walk into a bank and steal a laptop then obviously there is a much bigger issue here. But I’m stunned by the theft of laptops from cars - were these sitting on the passenger seat while some guy went in to Spar for his breakfast roll? Many companies train their employees on how to avoid getting their laptop stolen. Some high-tech approaches include putting the laptop into the boot of the car before leaving the office. But when you’re dealing with something as sensitive as we have here, is it even necessary for the information to leave the relative saftey of BoI HQ? Why were employees of the bank carrying such sensitive information around in their car? Why was it not encrypted? The fact that this was allowed to happen in the first place shows a lack of security awareness in the bank, and an inadequate security policy in place.

It gets worse. Justin Mason points out that the breach did not come from the bank at all - it was the DPC who first raised the issue. As we mentioned in relation to the jobs.ie hack, there are currently no laws for mandatory disclosure in Ireland. So if the bank does not take responsibility and inform its victims of the theft (out of good will or otherwise), how can we know that this has not happened before? They have admitted that this is not a once-off; these four laptops were stolen on separate occasions.

So what now for the 10,000 people who now have their medical details compromised? RTE references a statement by Mr Burrows from Bank of Ireland:

Mr Burrows, who was speaking in Belfast at the launch of new bank notes, admitted that the theft had been deeply embarrassing for the bank. But he said the bank is confident that none of the information stored on the computers has been illegally used.

How can the bank be confident that none of the information has been used illegally? They are monitoring the BoI accounts of those 10,000 victims, but do you think the only potential scam is to withdraw money? These thieves are resourceful enough to rob a bank, could we not assume that they’re capable of taking some medical records and personal details and selling them to professional scammers who are far more experienced in matters of fraud than anyone who works at BoI?

The issue here is an underlying lack of responsibility from BoI from start to finish. They were irresponsible when it came to protecting your data. They were irresponsible when they opted not to disclose the breaches initially. And now they’re being irresponsible as they play down the potential impact, moving to dismiss legitimate concerns that victims might have.

BBC’s The Real Hustle is a TV show focusing on how easy it is to be scammed and conned in every day life. This week, the team posed as recruitment consultants, highlighting the trust that job seekers are willing to impart during their job search.

The clip is an eye-opener - “identity theft on a grand scale”. In this episode, the girl gives her passport number and bank statements, which allow the hustlers to apply for mortgages, credit cards, duplicate passports, and birth certificates all in her name. She is not alone, as the other job seekers give their details without question, assuming that the recruitment agency is on their side. The staffing industry is very fragmented with the majority of recruitment companies doing less than $2 million in revenue. With so many small, owner-operated agencies, it is difficult to know who you can trust.

What The Real Hustle describes as “a steady stream of job seekers all willing to divulge their personal details” exists on the internet on a scale a million times larger. Due to the lower barrier to entry for online recruitment sites, without the need to rent an office or put on a suit, the online jobs market is even more fragmented and inherently less trustworthy. Even the most “legit” job sites have shown that, even if they do have your best interests in mind, they do not always take the steps necessary to protect your identity.

People often underestimate the value of information, but even something as inconspicuous as a maiden name is sometimes used as a password for banking. In this video, the girl is asked to choose a 4-digit pin number as part of her application, and she uses the same one as on her bank card. This is often the case with the passwords people choose online. Bad practices, such as storing plain-text passwords, are always going to exist; improving awareness is the key for now.