Experts Reaction On UK Job App Exposes Thousands Of CVs Online

It has been reported that Sonic Jobs, a UK retail and restaurant jobs app used by the Marriott and InterContinental hotel chains, has exposed over 29,000 CVs online revealing job-hunters’ names, addresses, phone numbers and career histories to potential cyber criminals. The firm made the settings on their cloud storage buckets public, which meant that when someone applied for a job their CV was available for anyone who knew the location of the bucket to see and download it.

Experts Comments

October 21, 2019
Chris DeRamus
VP of Technology Cloud Security Practice
Rapid7
AWS is the biggest public cloud service in the world, and companies around the world are flocking to the cloud for its ease, speed and accessibility in order to operate more effectively, enhance customer experiences and remain competitive. However, often times companies adopt the cloud without the expertise or correct tools in place to ensure security. Even though Amazon S3 buckets are private by default, the self-service nature of the cloud means that users not familiar with security settings.....Read More
AWS is the biggest public cloud service in the world, and companies around the world are flocking to the cloud for its ease, speed and accessibility in order to operate more effectively, enhance customer experiences and remain competitive. However, often times companies adopt the cloud without the expertise or correct tools in place to ensure security. Even though Amazon S3 buckets are private by default, the self-service nature of the cloud means that users not familiar with security settings and best practices can easily alter configurations, leading to catastrophic data leaks, such as this instance. As showcased by the data leaks from Authentic Jobs and Sonic Jobs, this type of misconfiguration almost always results in exposure of very sensitive, personally identifiable information that directly affects customers. To avoid these misconfigurations and corresponding data breaches, organizations must adopt proper cloud security and compliance strategies at the same time as adopting cloud services. You cannot have one without the other. Platforms that provide automated remediation in real time are most effective in preventing misconfigurations or other security risks, especially given the rapid rate of change in cloud environments.  Read Less
October 21, 2019
Stephan Chenette
Co-Founder and CTO
AttackIQ
Unfortunately, it does not take much for cybercriminals to find databases left open to the public and access personally identifiable information. There are tools designed to detect misconfigurations within cloud-tools, like Amazon's S3. Authentic Jobs and Sonic Jobs left a total of 250,000 customers’ records vulnerable by leaving the buckets public. Any organization that collects and stores consumer data must make securing that information a priority. Unauthorized exposure of any type of.....Read More
Unfortunately, it does not take much for cybercriminals to find databases left open to the public and access personally identifiable information. There are tools designed to detect misconfigurations within cloud-tools, like Amazon's S3. Authentic Jobs and Sonic Jobs left a total of 250,000 customers’ records vulnerable by leaving the buckets public. Any organization that collects and stores consumer data must make securing that information a priority. Unauthorized exposure of any type of customer data is a serious issue that may impact them well into the future. It’s imperative for companies to continuously evaluate the cybersecurity posture of their IT environments, including cloud databases, and validate their security controls are working as expected and properly preventing, detecting and alerting so your security team can respond in a timely manner to any unauthorized access.  Read Less
October 17, 2019
Javvad Malik
Security Awareness Advocate
KnowBe4
Cloud services such as Amazon's AWS S3 buckets make it very easy and cost-effective for companies to store large amounts of data which can be quickly accessed from any location. Unfortunately, not applying the proper permissions can result in the same masses of information being exposed publicly, and by extension to any criminal. CVs, in particular, contain a wealth of personal and private information that can be used for many nefarious purposes to steal their identity or use employment history .....Read More
Cloud services such as Amazon's AWS S3 buckets make it very easy and cost-effective for companies to store large amounts of data which can be quickly accessed from any location. Unfortunately, not applying the proper permissions can result in the same masses of information being exposed publicly, and by extension to any criminal. CVs, in particular, contain a wealth of personal and private information that can be used for many nefarious purposes to steal their identity or use employment history and details to attack previous employers. Ultimately, a trivial user error caused the issue, so it's vitally important that companies foster a strong security culture so that even those who aren't directly responsible for security, see the value in it and seek to implement it properly.  Read Less
October 17, 2019
Sergio Loureiro
Cloud Security Director
Outpost24
This is definitively not the responsibility of AWS, but of Authentic Jobs and Sonic Jobs. There is no excuse for such a misconfiguration, default settings by AWS are good and there are plenty of tools to check for that kind of misconfiguration, such as Cloud Security Posture Management (CSPM) tools (according to the Gartner terminology). Yet another example of enterprises being sloppy with personal data, which they are responsible for!
October 17, 2019
Sam Curry
Chief Security Officer
Cybereason
For potential employees, the goal is getting your resume in front of as many people as possible. And while the dark side of the web isn't used by employers, there are many resources and sites that job seekers commonly use to promote their candidacy. What we don't know is if these resumes contain personally identifiable information that isn't publicly available on sites such as LinkedIn and could be used for compromise. If the answer is yes, this story becomes more serious. If there is more data .....Read More
For potential employees, the goal is getting your resume in front of as many people as possible. And while the dark side of the web isn't used by employers, there are many resources and sites that job seekers commonly use to promote their candidacy. What we don't know is if these resumes contain personally identifiable information that isn't publicly available on sites such as LinkedIn and could be used for compromise. If the answer is yes, this story becomes more serious. If there is more data being exposed, the story will take on a larger life and have more serious implications for job seekers.  Read Less
October 17, 2019
Tim Erlin
VP of Product Management and Strategy
Tripwire
This is yet another instance of misconfigured AWS storage buckets. These misconfigurations are at the heart of millions of disclosed records. Any organization using cloud storage must regularly audit the permissions to ensure these kinds of breaches don’t happen. When you apply for a job, you share sensitive personal data with the jobs board and the companies to which you’re applying. It’s their responsibility to protect that information from disclosure.
October 17, 2019
Robert Ramsden Board
VP EMEA
Securonix
This is another incident of an organisation deploying new technology without considering the security implications. If the data was accessible to anyone with an internet connection then there is a high chance it already has been accessed by unintended parties. Data breaches involving Personally Identifiable Information (PII) often lead to huge fines, reputational damage, and loss of trust. Not to mention the enormous impact on the individual from identity theft to financial compromise. This.....Read More
This is another incident of an organisation deploying new technology without considering the security implications. If the data was accessible to anyone with an internet connection then there is a high chance it already has been accessed by unintended parties. Data breaches involving Personally Identifiable Information (PII) often lead to huge fines, reputational damage, and loss of trust. Not to mention the enormous impact on the individual from identity theft to financial compromise. This should be a lesson to organisations that any documents, servers or databases should always be secured and at the very least password-protected.”  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.

Share on facebook
Share on twitter
Share on linkedin

Recent Posts

Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics

Twitter Facebook-f Linkedin Youtube

Working With Us

The Pages

Our Contributing Experts