Security software vendor UpGuard says Australian-operated staffing firm OneHalf exposed the records of hundreds of employees in a public GitHub repository.
Greg Pollock, a member of UpGuard’s Cyber Risk Team told iTnews he discovered the data on August 9th and reported it to OneHalf the next day, but that multiple attempts to contact the company produced no response. The repository was made secure on August 22nd.
OneHalf is a staffing agency that uses an Australian URL but appears to operate in the Philippines and offer workers based there to Australian companies. The company says its founders are Australians.
Pollock said he found database backups listing hundreds of OneHalf workers-for-hire in the respository, along with code for an internal application that identified several OneHalf employees.
The database was unencrypted and listed 30 fields of data for most of the listed employees. For 180 employees, however, the database listed 90 fields of medical data including mentions of clinical history that named different illnesses workers had experienced.
Most of the named workers appear to reside in the Phillipines.
Pollock said the repository appeared to have been created and left unsecured since early 2018, and was accessible to anyone who bothered to search GitHub.
He blamed lax practices for the breach: GitHub repositories can be secured, but the developers who used the service for OneHalf appear to have ignored basic security practice and/or hoped for security-through-obscurity.
The researcher said that while OneHalf did not reply to his warnings, he feels the change in security settings on its repository indicates a response.
iTnews contacted OneHalf for comment, but the company has not responded at the time of writing.