The British newspaper whose job board was hacked over the weekend is advising the half-million users whose information may have been accessed to buy identity insurance and notify credit reporting agencies.
An indignant Twitter post by one of those whose account with The Guardian jobs site was compromised says she received an email from the newspaper advising her of the illegal access and suggesting she subscribe to an identity protection service.
“got the guardian hack email – they suggest I buy identity fraud protection services. Hang on, who let people steal my information?” reads the tweet by Joelle Nebbe-Mornod, a technology consultant and former CTO now in the U.K.
The site itself gives no hint of the hack, until you scroll almost to the bottom of the home page where, under a heading of Workplace News, there is a short item headlined: Guardian jobs site – Security Breach. It links to a page of more detailed information.
There, The Guardian reports that the site is now secure and adds, “It is clear that only a minority of Guardian Jobs users are at risk. Some of the data which appears to have been stolen is up to two years old. We have emailed the approximately half a million users whose data may have been compromised. This is out of the total of 10,328,290 unique users the site has per calendar year. The USA jobs site has not been affected.”
In an FAQ, The Guardian recommends users whose accounts were compromised obtain fraud protection at their own expense.
“The Guardian, in common with our users is also a victim of this crime and we deeply regret that this breach has occurred. We believe our technology and security measures were more than compliant but regrettably the threat from criminal hackers is continually evolving. Whilst our investigation is continuing we suggest that each individual should decide whether to follow the guidance recommended by the police and meet any associated costs.”
The Guardian’s British site is powered by Madgex Job Board Software. The U.S. job site is run by Indeed.com.
The Guardian says that no personal accounts were accessed, but other, potentially sensitive, information was. “Job application data, material such as covering letters, and CVs. We have no reason to believe that any financial or bank data was compromised in this incident.”
Police are investigating the access. No technical details have been released, however some technical publications have offered possible methods.
This is the second major security breach of a British job board this year. Monster’s UK site was hacked in January and some 4.5 million records were stolen.
1 comment
rss | trackback
Steven Rothberg Oct 29, 2009 at 11:50 am
This is one of the primary reasons why 1.5 years we became the first major job board to kill its resume searching tool. See http://www.collegerecruiter.com/press-room/general/collegerecruitercom-first-majo/. The risk of hacking and identity theft is too great and increasing. Job boards cannot properly secure their resume banks while at the same time making them easy to log into for their employer clients. When I.T.’s security interests are pitted against marketing’s sales interests, guess who tends to win?
The International Association of Employment Web Sites (IAEWS) meets next week in Chicago. Hopefully this issue will (again) be raised and hopefully more job boards will choose to follow our lead. We followed the lead of RecruitingNevada.com. A representative from that site talked about how and why they never allowed resume searching. I was convinced their approach was correct so we killed resume searching shortly afterward.