Global consulting firm Capgemini was blamed for the leakage of data by its client Michael Page recruitment. The data leak was made public by security researcher Troy Hunt via a blog on his website. According to Hunt: “..there were over 780k unique email addresses in that one file and plenty of data relating to candidates’ jobs such as cover letters relating to their experience”.
The FAQ on the Michael Page website gives a different view of the data leaked. It makes no mention of cover letters just the details of any covering message from candidates when they applied for a job. Although passwords were in the file Michael Page has said nobody needs to change their password. This is because: “this is encrypted into a code and not readable by any third-party”.
This is a very strange statement. The assumption that the code cannot be broken is something that should never be made. Industry best practice is always to get users to change their passwords whenever a breach is detected.
How did the leak occur?
Hunt has declined to expose details of how the leak occurred. He says that: “there were numerous failings which led to the exposure of this data. I won’t go into those here, some of them are obvious and others are up to Capgemini to choose how transparent they wish to be.”
What is known is that the data has come from a development server rather than production systems. This suggests a serious failing in how development servers and data are partitioned from public facing internet systems. It also appears that there might have been a security issue with the software on the server.
So how transparent are Capgemini being? The answer is not at all. When Enterprise Times contacted them they provided us with a statement they wanted attributed to an unnamed spokesperson. It says: “We have worked very closely with the PageGroup to investigate this incident. Our work has established that this was not a malicious attack and we are not aware of any broader dissemination of data or fraudulent activities as a result of the incident. Privacy and security are key priorities for Capgemini; we are confident in our security procedures and data protection measures and are continuously improving them.”
Will Capgemini review their development teams processes?
The answer has to be “yes”. The Capgemini response is that this is not a malicious attack. It stops short of blaming human error. That means it could be a one off or it could be a process issue in the way the development teams work. Given the number of customers that Capgemini does development work for this will be a major concern. Irrespective of what it is, Capgemini will be spending a lot of time reviewing this leak and talking to its other clients.
If there is an upside to this it is that the data leaked does not contain CVs. Few people realise just how much data they give away in those documents or their value to hackers and cyber criminals. It is data that hackers could exploit over a long period of time. They can use it to craft highly personal phishing attacks against individuals or people they have worked with. They can also use it to create very authoritative fake profiles for sites such as LinkedIn. More importantly it provides cyber criminals with a wealth of data when creating fake identities for scams and cons.
This is not just an issue for Capgemini. Development teams have used cloud-based services for some time now. The problem is that they rarely review the way it works and how it differs from internal data protection. This leak shows that there is an increasing need for companies to ensure that their cloud-based development environments are just as secure as their production ones.