A misconfigured cloud account has exposed the personal information of tens of thousands of jobseekers.
The AWS S3 bucket left exposed and unsecured by FastTrack Reflex Recruitment was discovered by the Website Planet research team.
The 5GB trove of data exposed 21,000 files including personal information contained in CVs such as personal IDs - passports, citizen ID cards, driver’s licenses, and skilled worker IDs. In addition to directly identifiable PII including full name, email addresses, mobile phone numbers, home addresses, and social network URLS.
The 21,000 client files belong to people whom FastTrack Reflex Recruitment has been connecting with brands and organizations for work across the UK.
If the data had been found by threat actors, it could have been utilised to commit identity theft and fraud and phishing attacks. Website Planet added that the information could have been used for corporate espionage.
The leak was discovered on December 29 last year and after reaching out to the recruitment firm numerous times, the bucket was finally secured on March 23.
Website Planet saId:
“FastTrack, and anyone else implicated in this breach, should be vigilant when receiving calls from parties claiming to be clients or associates. In which case, businesses must implement strategies to confidently identify these individuals.”
“It’s crucial that FastTrack, as well as any businesses at-risk of this exposure, implements stringent security measures when storing customer data. Businesses should hire a cybersecurity professional, to be sure that customer data is adequately protected.”