So do PageGroup still regard CrapGemini as a global leader? And is this the first time the 'well they had ISO certificates so we figured they knew what they were doing' defence has been used in public?
Global recruitment giant PageGroup says a hacker infiltrated its network and accessed job applicants' personal information. The miscreant broke into a development system run by IT outsourcer Capgemini for PageGroup, and was able to look up job hunters' names, email addresses, hashed passwords and more. UK-headquartered …
Friday 11th November 2016 04:54 GMT Anonymous Coward
Is it still a leak when it comes from a sieve
Recruitment databases are a wealth of out of date information and old email addresses.
They are shared, sold, re-indexed etc regularly. If you have ever been on one, you will never be removed.
I get emails from recruiters who last saw a CV 15 years ago, they still think i am looking for the same job.
Anyone who's information was 'leaked' from this system is unlikely to even notice.
Friday 11th November 2016 08:10 GMT Anonymous Coward
Friday 11th November 2016 09:18 GMT Anonymous Coward
""Our work has established that this was not a malicious attack and we are not aware of any broader dissemination of data or fraudulent activities as a result of the incident," Capgemini said."
How can they say that? How can they be 100% sure there is no criminal intent, unless of course they know who did it?
Just because it hasn't been sold / used yet, doesn't mean it won't be.
This is exactly the info required for spear phising attacks.
Friday 11th November 2016 10:35 GMT Graham Anderson
not a 'hack' if just on a publicly accessible server
If you read the original article by Troy Hunt, the server was publicly accessible. So while this is a "breach" of privacy, its no more a "hack" than me going to robots.txt and seeing what pages are listed as deny and copy pasting them into my browser.
"… an underlying risk on the server end; publicly exposed website, directory listing enabled, .sql files exposed… "
Friday 11th November 2016 11:30 GMT Cuddles
"A spokesperson for PageGroup told us the unnamed hacker has since promised they have destroyed the data and the company is "confident that they have done so." To us it sounds like someone discovered a vulnerable server, found out they could exploit it to extract people's information, and then reported it to PageGroup."
Sure, this sounds like nice person discovered a vulnerability and told them about it. The question is not whether that specific person plans on doing anything naughty with the data, but how many other people might have also had the same access. The important thing to take from this is not "White hat reports vulnerability", but rather "Vulnerability may have existed for years and has only just been reported".
Friday 11th November 2016 12:29 GMT Prst. V.Jeltz
Whats the problem? dont people put their CVs on these websites because they want the world to see them?
Its like saying "I'm afraid the details of that classified ad you put in the local gazette last week have been leaked all over the internet .
Unfortunately the following details have been stolen:
the size of the folding bicycle you are selling,
the colour of it,
the area its located in ,
and the phone number to ring if interested"
Friday 11th November 2016 20:04 GMT Wensleydale Cheese
"Whats the problem? dont people put their CVs on these websites because they want the world to see them?"
But I don't want to be pestered by someone who thinks I want to work on a product that was already in its death throes 20 years ago. I didn't particularly like that product then, and I certainly don't want to go back to it now.
Friday 11th November 2016 14:08 GMT Dave Harvey
Friday 11th November 2016 14:14 GMT Gordon Pryra
Bollocks, the fault is PageGroups and noone elses.
They gave access to CapGemini and any blame falls squarley on their own door step.
If they had NOT given access to that data to a 3rd party then their customers details would be safe.
Any company using this bullshit excuse and trying to shift the blame needs to be strung up by their testicles.
Friday 11th November 2016 16:00 GMT tiggity
Was there proper info given on how the password was stored (the "encrypted into a code comment was laughable" in it's uselessness)
Was combo hash / encryption used?
Was it a laughably outdated encryption method that can be brute forced in a coffee break / totally exposed via lookups on rainbow tables?
There's lot's of ways of storing password NOT as plain text, only some of them are useful rather than security theatre.
Given the liking for Private Eye references on El Reg, wheres the CrapGemini usage gone, it should be in the article not having to wait for the first comment?
Friday 11th November 2016 16:20 GMT John G Imrie
"Capgemini fully manage our PageGroup websites and is regarded as a global leader in consulting, technology and outsourcing services. It has all the appropriate security certificates and ISO certifications in place, which we believed would ensure that the website environments would be secure and safe in their hands."
We looked at them and their fig leaf was impressive