Capgemini exposes millions of recruitment firm clients

The private information of Australian jobseekers has been exposed on the internet after global IT and management consultancy Capgemini placed database backups on a publicly accessible server.

The data breach at recruiter Michael Page, part of PageGroup, bears resemblance to last month's Red Cross Blood Service leak, Australia's largest so far with some 1.3 million records exposed.

Operator of the haveibeenpwned.com website Troy Hunt said he was contacted on October 30 by the same person who discovered the Red Cross Blood Service data on a publicly accessible server.

Hunt was sent a 362MB compressed database file containing 780,000 jobseeker records for UK citizens that had been published online by Capgemini.

A further 331MB compressed database for Australian jobseekers impacts around 713,000 individuals impacted.

Hunt estimated the total amount of uncompressed data for the leak to be in the region of 30 to 40GB, which could translate into as many as eight million global user records.

PageGroup said the databases had been placed on a development server by its iT provider Capgemini.

As with the Red Cross Blood Service breach, Hunt said no particular skill was required to discover the database backup files. 

"It's really simple, someone just left the data on the server, and it was easily found," Hunt told iTnews.

"It's not just one mistake, but several, including backing up production data to a development server, connecting that to the internet and enabling directory browsing.

"Was it one person who did this, or did it take a concerted effort by several people to make the basic errors that lead to the leak?"

PageGroup's press kit [pdf] says the company's clients include brands such as Adidas, BT, Amazon, Diageo, Samsung, HSBC, Rolls Royce, Deloitte, BP, eBay and Twentieth Century Fox.

The company told users it had taken action to secure the servers in question.

PageGroup said user information such as names, email addresses, phone numbers, location, and employment data were leaked.

User passwords for the Michael Page site were also exposed, but PageGroup advised customers there was no need to change them as they were "encrypted into a code and not readable by any third-party".