Guardian loses half a million CVs

All webiste attacks are sophisticated or complex?

None are ever reported as stoopid [sic] dumb, simple or obvious.

Same with police reports when they "solve" an internet scam: these scams are always described in ways that make the perpetrators look like evil geniuses, but not quite as clever as the brain-boxes the fuzz employ. While these all make for nice, juicy headlines I can't shake the impression that they're just talking up the level of skill employed (by all sides) to flatter themselves.

What would be nice would be some factual reporting, without the hype. So instead of describing a breach of security as using complex techniques, why not just come out and say when the crime was merely the result of idiotic, negligent or lazy implementation of poorly understood, rushed or skimped preventative measures that anyone over the age of 6 could have hacked past.

At least then we could all feel a lot safer in the knowledge that there aren't a load of internet criminals with IQs over 150 roaming free. You never know, by realising just how simplistic some of these crimes are, we might start holding the guardians of our data to account for ttheir loss.

Is The Guardian...

... offering to pay the GBP12 pa charge for CIFAS registration? It would amount to a mere GBP 6 Million per year for those half milion people. Since Guardian News & Media apparently lost around 37 Million in the last financial year it would be a drop in the ocean.

Misleading warning

A CIFAS Protective Registration should only be posted if a person suspects that they are a victim of ID fraud. Placing a CIFAS Protective Registration on your credit files can cause problems - no lender (who is a member of CIFAS) is able to assess credit automatically when such a warning is on a credit file - so subjective assessment is used in lieu, which is less accurate, and therefore leads to a greater incidence of declines. Secondly, if you are applying for credit where staff may either be busy or not well trained (e.g. in a retail shop that offers an immediate discount when you take out a store card), then you are very likely to be declined after an embarrassing wait at the till. They are great if you really feel that you are at real risk of ID fraud, but like using a chainsaw, don't use it without thinking about the risks.

Well, at least they admitted it

How many such hacks go unreported? Are companies legally obliged to let us know if they lose data, or do we have to rely on them being honest?

CVs

Could it be an employer trying to get round all the bloody job agencies to access the original versions of the CVs?

I'm not sure whether or not to add the 'Joke Alert' icon ...

The answer -

Do not allow any agencies to ask for, or record, any information not pertinent to the service they provide i.e advertising a position for a third party.

Job agencies are not providing the employment only facilitating it, why do they need to know DOB,NI etc. this information should only be collected after a job offer has been made.

Non-government agencies should not be allowed to ask for DOB or NI details unless they are bound by an agreement that makes them liable for data misuse. Any misuse / mismanagement should result in an automatic fine sufficient to offset any loss the effected suffer i.e. the effected persons earnings for life.

This business of allowing third parties access to the personal information of job seekers is simply a recipe for disaster and makes it far easier for bogus candidates as the agencies prep the candidated.

Employers complain that they find it so difficult to find the right person for the post even when their own H-R staff numbers are increasing, why? The reason is that H-R people only know H-R, at best, and hence have only second hand information as to any position's requirements.

I have interviewed people for employment and I agree it is tedious, however who is better qualified to choose the right person for a job that the person who knows all the position's requirements.

H-R and job agency staff typically have little understanding of matters outside of their own field and even the best job description is open for misinterpretation.

Advertise directly and get the right person for the job, it takes time but it is worth it in the end. If you chose the right person for a job you only have to do it once, use a third party and you will be training staff forever.

Half a million?

Does the Graun really have that many readers, let alone readers who have posted their CVs to the jobs site? That would mean that 1 or 2 percent of the entire UK working population were users of the site. Seems excessive/optimistic. Perhaps the site has been scraping from other places, which means that at least some of the affected souls probably weren't even aware that their data was stored there.

Data Protection Act Anyone?

If they are emailing people who have had no contact with the company for years or even tried to remove their accounts, I wonder what the DPA would have to say about it?

Re: Half a million?

Guardian.co.uk is the widest read UK newspaper website, currently.

http://www.guardian.co.uk/media/2009/oct/22/abce-guardian-telegraph-mail-online

-A.

I find this.......

...very strange that the Guardians website is hacked so soon after their technology editor advocated the hacking of the BNP's website. Maybe his time would be better spent making sure the site is secure. Careful what you wish for....

No Worries

I'm sure that in the light of the various stupid personal data losses by American banks over the last three years all this information was properly encrypted.

I mean, who would be so monumentally irresponsible to store reams of unencrypted personal data on a web server?

Were that it were so simple.

"At least then we could all feel a lot safer in the knowledge that there aren't a load of internet criminals with IQs over 150 roaming free." .... By Pete 2 Posted Monday 26th October 2009 09:56 GMT

Pete 2, They are only criminals if caught and convicted of a crime. Until such a time/times, are they shrewd entrepreneurs and astute business persons/operators.

CV details

Is it really necessary for a jobsite to know your address? Admittedly in the past have have supplied these details on my CV. But for quite sometime now my CV address consists of the town I live in and a pay as you go mobile phone number. Only an employer needs to know your full address, home telephone number, date of birth, national insurance number and bank details, and then only when you take up a position.

Email addresses are something else, use a disposable one and unsubscribe from the spam that comes from real agencies and training providers. Or as suggested go on a crusade, determine who's sharing your data and threaten, preferably with a solicitor.

As for the sharing and or selling of personal and what should be private information amongst agencies and so called partners, we need a few court cases and big fines, or stronger data protection law to deal with it.

@AC 11:14 - The answer

Re DOB - Its illegal for an employer to discriminate against age of a candidate so NO recruitment company needs your DOB

Re NI - A Recruitment Company only needs this information if you either get the job

A recruitment company only needs the above information if you need security clearance

This article is about the Guardian Website not Recruitment Companies. The difference is that Site like this and Jobsite, Monster, Jobserve etc.. Store CV's on Web Servers so they can be accessed by Recruitment Companies & Employers

A recruitment Company Stores your DC within a Database on its own Server not connected to the Internet

I don’t entirely agree with your comments re recruiters…

I am the IT Manager & Data Controller for a Specialist Recruitment Company

Our Consultants are all specialists in their fields.. As it is with other smaller agencies agencies…

I will admit that some of the Larger Agencies do employ general Sales & Admin staff that have little knowledge of the types of people needed for certain roles.. But that can also come back on people like yourself.. If you don’t provide them with enough information about a position you are looking for then how are they supposed to find someone that you will like.. So it’s a bit of both really.