Recruiter’s Cloud Snafu Exposes 20,000 CVs and ID Documents
Website Planet researchers recently uncovered an AWS S3 web bucket left unsecured by FastTrack Reflex Recruitment, which has been renamed to TeamBMS. The database included personal information pertaining to tens of thousands of jobseekers and held sensitive data and documents such as dates of birth, email addresses, full names, home addresses, social network URLs, passport numbers, and applicant photos. The research team at Website Planet has determined that TeamBMS’s IT service provider may have been behind the privacy incident. The database consists of 5GB of information, roughly 21,000 files.
The firm responsible for the privacy incident specializes in recruitment for the building management systems sector and for projects including skyscrapers 22 Bishopgate and The Shard, Wembley and Olympic Stadium, and Heathrow Terminal 5. If the database was already accessed by threat actors the information could be used to commit identity theft, fraud, or advanced phishing attacks that utilize personal data to be more convincing. Website Planet also believes that the information could be used for corporate espionage or to target victims’ homes for burglary. The bucket was finally secured on March 23 after the research team discovered the leak on December 29 of last year and reached out to the company several times. Due to the length of exposure and the nature of the information the bucket contained, those impacted should be on guard for any suspicious activity.