The Register® — Biting the hand that feeds IT

Feeds

Guardian loses half a million CVs

The Guardian newspaper's jobs website has warned 500,000 users that hackers may have got hold of private information held on the site after a "sophisticated and deliberate" attack. The paper said not all users were at risk, and it has emailed those who are. The email, sent on Saturday, said data relating to job applications "may …

This topic is closed for new posts.
Law
FAIL

Errrmmmmm....

"2) Contact a credit reference agency: Callcredit, Equifax or Experian provide suggested steps to resolve the situation and prevent it happening again."

Prevent it happening again? What are they going to say, trust any online or government agency with your data!?

These agencies and job sites need vetting now anyway - they've got away with dodgy data sharing activities for years. I haven't uploaded or applied to a job in over 3 years, and despite cancelling the one account I did create all those years ago (Reeds Recruitment), my details are being passed between every dodgy agency in the UK, usually suggesting jobs in the place I was moving away from 3 years ago, 250 miles away from where I'm living now.

Hilariously, I'm always very aware of dodgy check boxes and t&c's, and will always opt out of being shared with other companies, but for some reason, all these agencies seem incapable of telling me where they are getting my details, insisting I must have signed up to them at some point, which is total crap. Ah well.

Graham Anderson
Unhappy

wil they pay for my Experian?

When my employer lost a disk with my details on it, the company paid for me to get Experian credit watch. Will the Guardian cough up for Experian/CIFAS subscriptions for all affected users?

Pete 2

All webiste attacks are sophisticated or complex?

None are ever reported as stoopid [sic] dumb, simple or obvious.

Same with police reports when they "solve" an internet scam: these scams are always described in ways that make the perpetrators look like evil geniuses, but not quite as clever as the brain-boxes the fuzz employ. While these all make for nice, juicy headlines I can't shake the impression that they're just talking up the level of skill employed (by all sides) to flatter themselves.

What would be nice would be some factual reporting, without the hype. So instead of describing a breach of security as using complex techniques, why not just come out and say when the crime was merely the result of idiotic, negligent or lazy implementation of poorly understood, rushed or skimped preventative measures that anyone over the age of 6 could have hacked past.

At least then we could all feel a lot safer in the knowledge that there aren't a load of internet criminals with IQs over 150 roaming free. You never know, by realising just how simplistic some of these crimes are, we might start holding the guardians of our data to account for ttheir loss.

Jon Press

Is The Guardian...

... offering to pay the GBP12 pa charge for CIFAS registration? It would amount to a mere GBP 6 Million per year for those half milion people. Since Guardian News & Media apparently lost around 37 Million in the last financial year it would be a drop in the ocean.

Barry Stamp, checkmyfile

Misleading warning

A CIFAS Protective Registration should only be posted if a person suspects that they are a victim of ID fraud. Placing a CIFAS Protective Registration on your credit files can cause problems - no lender (who is a member of CIFAS) is able to assess credit automatically when such a warning is on a credit file - so subjective assessment is used in lieu, which is less accurate, and therefore leads to a greater incidence of declines. Secondly, if you are applying for credit where staff may either be busy or not well trained (e.g. in a retail shop that offers an immediate discount when you take out a store card), then you are very likely to be declined after an embarrassing wait at the till. They are great if you really feel that you are at real risk of ID fraud, but like using a chainsaw, don't use it without thinking about the risks.

Anonymous Coward
FAIL

I want to know who's perpetrating all the sophisticated and accidental attacks

or are there a huge number of lucky idiots running around giving it "Oops, I accidentally the entire database"?

tKe
Joke

New job posting on Guardian Jobs

Required: 1 security adviser. Urgent start.

Graham Dawson
WTF?

Confusing it is

I was apparently one of the people affected by this, even though I don't remember signing up to the Guardia in the first place. It must have been years ago.

Anyway, I tried signing in on the e-mail address they'd contacted me at and lo and behold, my account was gone. Had they expired it before the attack? Or had the attack somehow deleted it? But if it had, how did they contact me?

I get the feeling they haven't just e-mailed the people affected. they've emailed everyone who was ever registered even if they don't have sensitive details on their database any more. Of course the alternative to that is that they're holding my information without providing any way for me to remove it, which I understand is somewhat illegal...

Anonymous Coward
Anonymous Coward

Well, at least they admitted it

How many such hacks go unreported? Are companies legally obliged to let us know if they lose data, or do we have to rely on them being honest?

BigSpoon0
WTF?

Re: Confusing it is

I find myself in the same boat. Email received on Saturaday morning, attempted sign in without luck. Even asking for a password reminder on the email address they sent the email resulted in an error.

I will be contacting them for an explanation of this.

Anonymous Coward
Anonymous Coward

CVs

Could it be an employer trying to get round all the bloody job agencies to access the original versions of the CVs?

I'm not sure whether or not to add the 'Joke Alert' icon ...

Anonymous Coward
Anonymous Coward

The answer -

Do not allow any agencies to ask for, or record, any information not pertinent to the service they provide i.e advertising a position for a third party.

Job agencies are not providing the employment only facilitating it, why do they need to know DOB,NI etc. this information should only be collected after a job offer has been made.

Non-government agencies should not be allowed to ask for DOB or NI details unless they are bound by an agreement that makes them liable for data misuse. Any misuse / mismanagement should result in an automatic fine sufficient to offset any loss the effected suffer i.e. the effected persons earnings for life.

This business of allowing third parties access to the personal information of job seekers is simply a recipe for disaster and makes it far easier for bogus candidates as the agencies prep the candidated.

Employers complain that they find it so difficult to find the right person for the post even when their own H-R staff numbers are increasing, why? The reason is that H-R people only know H-R, at best, and hence have only second hand information as to any position's requirements.

I have interviewed people for employment and I agree it is tedious, however who is better qualified to choose the right person for a job that the person who knows all the position's requirements.

H-R and job agency staff typically have little understanding of matters outside of their own field and even the best job description is open for misinterpretation.

Advertise directly and get the right person for the job, it takes time but it is worth it in the end. If you chose the right person for a job you only have to do it once, use a third party and you will be training staff forever.

Andy 97
WTF?

Fuckwits!

I can't believe this happened.

Please tell me it was an inside job instigated by the hateful Daily Mail rag to get back at the Manchester paper.

And to think, I nearly took a job there too.

Ken Hagan

Half a million?

Does the Graun really have that many readers, let alone readers who have posted their CVs to the jobs site? That would mean that 1 or 2 percent of the entire UK working population were users of the site. Seems excessive/optimistic. Perhaps the site has been scraping from other places, which means that at least some of the affected souls probably weren't even aware that their data was stored there.

Mark 186
WTF?

I was affected...

Knowing The Grauniad, the attack probably exploited typos in their code.

They should take serious steps to resolve this, it has the potential to create financial misery for me and 499,999 others.

MinionZero
Big Brother

If we keep leaking data at this rate...

Its starting to look like the UK will be the first country in the world to offer total open source intelligence on its entire population! :(

Other countries can't wait for more free into to help them get richer in every way they can, all at our expense, e.g.. http://www.wired.com/dangerroom/2009/10/exclusive-us-spies-buy-stake-in-twitter-blog-monitoring-firm/

The UK companies and government are rampantly abusing our privacy at every turn, yet they are treat security like its a joke. Maybe it is a joke and they are laughing at us for putting up with it all. :(

Anonymous Coward
WTF?

Grauniad Kached?

Today the Grauniad newspaper had to admit it's webtise had been kached, a spekosman for the paper said "most sucsbribers should be nife as on one will be bale to read their CV's ude ot poor spoling".

Tom_
Unhappy

I'm angry about this.

I applied for a couple of jobs through their website around four years ago. Later, I closed my account. This weekend I got the email advising me to clear up their mess at my own expense.

They shouldn't even have had any of my details on file.

Does anyone know how I can extract from them the details that they did actually lose? I don't want to go to the effort and expense of dealing with this mess if they haven't actually lost any important data of mine.

Where's the law in all this? If they have caused half a million people stress and expense through their own failings, shouldn't there be some kind of gigantic fine for that?

KrisM
FAIL

can't even change the password...

My G/F received the email from them, and logged in to check. No CV on file (she tended to send CV with job application apparently), but then we looked at all the past jobs she had applied for - they system says it keeps the last 6 months, but there are jobs going back to March 08 in there!! There is no way (that we could see) that allowed her to clear off the past applications, or CV's that were contained within. Furthermore, we could find no way to change the account password - 'My details' and 'Your Account' were both on the site, but went to the same page which only allowed you to view CV's uploaded and past appointments. So how do you change a password on the acocunt then??????

Anonymous Coward
Thumb Down

Who puts

their credit card number in their CV?

Anonymous Coward
Coat

Free Our Data

Do you think they're taking their Free Our Data campaign a little too far here?

Number6
Big Brother

Leaving your details around

I'm afraid I don't post my CV to 'open' job sites. It normally only goes to employers and occasionally to agencies if they've managed to make up a job description that interests me.

It's not paranoia if... etc.

Bernie 2
Thumb Down

worrying

Recruitment agencies and job sites seem to be passing our details around like Pokemon cards at an eight year old's birthday party. Would be nice if one of these losers could stop playing Tetris and actually find someone a job while they're at it.

GP08

Data Protection Act Anyone?

If they are emailing people who have had no contact with the company for years or even tried to remove their accounts, I wonder what the DPA would have to say about it?

Anonymous Coward
Big Brother

This could be a disaster for the chattering classes

What if there weren't any diversity co-ordinators or street theatre facilitators? No health and safety executive assistants, no bio diversity officers, no five a day monitors, no smoking cessation co-ordinators. No parking enforcement wardens, no litter rapid response teams, no noise abatement outreach facilitators, no recycling monitors, no penalty inspectors, no real nappy organisers etc.

What an awful place the UK would become. Maybe we'd ALL get a substantial reduction on our Council tax instead.

Shudder!

This post has been deleted by its author

captain veg

Re: Half a million?

Guardian.co.uk is the widest read UK newspaper website, currently.

http://www.guardian.co.uk/media/2009/oct/22/abce-guardian-telegraph-mail-online

-A.

Flakey

I find this.......

...very strange that the Guardians website is hacked so soon after their technology editor advocated the hacking of the BNP's website. Maybe his time would be better spent making sure the site is secure. Careful what you wish for....

Stevie

No Worries

I'm sure that in the light of the various stupid personal data losses by American banks over the last three years all this information was properly encrypted.

I mean, who would be so monumentally irresponsible to store reams of unencrypted personal data on a web server?

Anonymous Coward
Alien

..Credit Ref agenecies

.... Contact a credit reference agency: Callcredit, Equifax or Experian provide suggested steps to resolve the situation and prevent it happening again.

When a Bank etc gives wrong info to Callcredit, Equifax or Experian try asking the agency to right it - they won't correct it unless the Bank agrees(and it takes 6mnths-1 year) so you pay higher interest to the Credit Agencies client.

Trebles all round!

an easy way to track who sells your info... set up an domian and redirect an address mailmeXXX@mydomain to a catchall (xxx is your job application ref) - you read the catch all and doesnt take long to work out the f***wit selling your data.. then send a nice letter to a Director..

on one business site we set up emails addressess for every business partner using their name eg guardian@domain if we tried to partner with guardian

not even 1 spam email 2 years later...

f***wits all of them

zenkaon
Joke

Don't worry

The grundian will have put your CV through their editorial ysstem and ensuured that yourCV is spelled corectly. You prbably won't recognisse your addresss.

amanfromMars 1

Were that it were so simple.

"At least then we could all feel a lot safer in the knowledge that there aren't a load of internet criminals with IQs over 150 roaming free." .... By Pete 2 Posted Monday 26th October 2009 09:56 GMT

Pete 2, They are only criminals if caught and convicted of a crime. Until such a time/times, are they shrewd entrepreneurs and astute business persons/operators.

Tim Brown 1
Troll

Aren't the Guardian going a bit over the top?

If simply having your CV enables someone to steal your identity then no-one anywhere is safe.

What's more, all I have to do is post a fake job ad in a popular industry (media for example) asking people to send in their CVs to harvest a few hundred identities.

Our society is getting more and more paranoid by the hour.

adnim

CV details

Is it really necessary for a jobsite to know your address? Admittedly in the past have have supplied these details on my CV. But for quite sometime now my CV address consists of the town I live in and a pay as you go mobile phone number. Only an employer needs to know your full address, home telephone number, date of birth, national insurance number and bank details, and then only when you take up a position.

Email addresses are something else, use a disposable one and unsubscribe from the spam that comes from real agencies and training providers. Or as suggested go on a crusade, determine who's sharing your data and threaten, preferably with a solicitor.

As for the sharing and or selling of personal and what should be private information amongst agencies and so called partners, we need a few court cases and big fines, or stronger data protection law to deal with it.

Anonymous Coward
FAIL

Look at the bright side

It was ONLY half a mil.!!!

Wankers could have lost more.

Wait, I'm sure they're still working on it.

Think I'll have a little lie down now.

Ex-IT
Grenade

Hmmm...

It'd be interesting to see what would happen if the people affected by this took the Guarding to the small claims courts to reclaim the cost of using a credit watch agency... if only a 1,000 or so did it (individualy, not as a group), it would cost the Guardian a serious amount of time and money.

M3JMI

@AC 11:14 - The answer

Re DOB - Its illegal for an employer to discriminate against age of a candidate so NO recruitment company needs your DOB

Re NI - A Recruitment Company only needs this information if you either get the job

A recruitment company only needs the above information if you need security clearance

This article is about the Guardian Website not Recruitment Companies. The difference is that Site like this and Jobsite, Monster, Jobserve etc.. Store CV's on Web Servers so they can be accessed by Recruitment Companies & Employers

A recruitment Company Stores your DC within a Database on its own Server not connected to the Internet

I don’t entirely agree with your comments re recruiters…

I am the IT Manager & Data Controller for a Specialist Recruitment Company

Our Consultants are all specialists in their fields.. As it is with other smaller agencies agencies…

I will admit that some of the Larger Agencies do employ general Sales & Admin staff that have little knowledge of the types of people needed for certain roles.. But that can also come back on people like yourself.. If you don’t provide them with enough information about a position you are looking for then how are they supposed to find someone that you will like.. So it’s a bit of both really.

Anonymous Coward
Black Helicopters

Could it be....

..the government's fault. Maybe they're trying to coerce *Manchester* based Grauniad reading types to sign up for an ID card??? I suspect the spooks had something to do with this.

This topic is closed for new posts.