back to article Recruitment giant PageGroup hacked, Capgemini dev server blamed for info leak

Global recruitment giant PageGroup says a hacker infiltrated its network and accessed job applicants' personal information. The miscreant broke into a development system run by IT outsourcer Capgemini for PageGroup, and was able to look up job hunters' names, email addresses, hashed passwords and more. UK-headquartered …

  1. JMiles

    So do PageGroup still regard CrapGemini as a global leader? And is this the first time the 'well they had ISO certificates so we figured they knew what they were doing' defence has been used in public?

  2. Anonymous Coward
    Anonymous Coward

    Is it still a leak when it comes from a sieve

    Recruitment databases are a wealth of out of date information and old email addresses.

    They are shared, sold, re-indexed etc regularly. If you have ever been on one, you will never be removed.

    I get emails from recruiters who last saw a CV 15 years ago, they still think i am looking for the same job.

    Anyone who's information was 'leaked' from this system is unlikely to even notice.

  3. Voland's right hand Silver badge

    Re: Is it still a leak when it comes from a sieve

    This is why you use a new and disposable email address if you ever have to get your details into one.

  4. Bronek Kozicki Silver badge

    Re: Is it still a leak when it comes from a sieve

    Or the same, tired email address you use for everything else.

    Yeah, I know.

  5. Anonymous Coward
    Anonymous Coward

    Why I don't use Linked In and all the rest.

    Instead I keep all my current 'availability' details on Ashley Madison. In that way I can be sure of absolute discretion, total security, and that I am only approached by the right kind of agents.

  6. Anonymous Coward

    Typical bullshit...

    ""Our work has established that this was not a malicious attack and we are not aware of any broader dissemination of data or fraudulent activities as a result of the incident," Capgemini said."

    How can they say that? How can they be 100% sure there is no criminal intent, unless of course they know who did it?

    Just because it hasn't been sold / used yet, doesn't mean it won't be.

    This is exactly the info required for spear phising attacks.

  7. s. pam

    Is it just Michael Page site or plenty more?

    Their email I got had NO details of WHICH website so I'll be filling in the ICO complaint forms shortly. Marks for letting us know El Reg, shame on PageGrouo.

  8. tblacklock1972

    Arthur Daley's the lot of 'em..

    Would this be a good moment to discuss the rotten quagmire that is online recruitment agents?

  9. Rusty 1

    Re: Arthur Daley's the lot of 'em..

    I've always thought that they make estate agents look rather good in comparison.

  10. Anonymous Coward
    Anonymous Coward

    So ... did they gain entry through a poorly-configured dev server, and get at live data from there, or were PageGroup using real data in a development environment which got compromised? If the latter, I doubt the ICO will be amused ...

  11. Graham Anderson

    not a 'hack' if just on a publicly accessible server

    If you read the original article by Troy Hunt, the server was publicly accessible. So while this is a "breach" of privacy, its no more a "hack" than me going to robots.txt and seeing what pages are listed as deny and copy pasting them into my browser.

    "… an underlying risk on the server end; publicly exposed website, directory listing enabled, .sql files exposed… "

  12. Cuddles Silver badge

    Who else?

    "A spokesperson for PageGroup told us the unnamed hacker has since promised they have destroyed the data and the company is "confident that they have done so." To us it sounds like someone discovered a vulnerable server, found out they could exploit it to extract people's information, and then reported it to PageGroup."

    Sure, this sounds like nice person discovered a vulnerability and told them about it. The question is not whether that specific person plans on doing anything naughty with the data, but how many other people might have also had the same access. The important thing to take from this is not "White hat reports vulnerability", but rather "Vulnerability may have existed for years and has only just been reported".

  13. Anonymous Coward
    Anonymous Coward

    No mention of the ICO

    All well and good but if they had my data i'd want to know that they had informed the ICO as it is a data breach. Seems to me they kind of "forgot" that bit.

  14. Prst. V.Jeltz Silver badge

    Whats the problem? dont people put their CVs on these websites because they want the world to see them?

    Its like saying "I'm afraid the details of that classified ad you put in the local gazette last week have been leaked all over the internet .

    Unfortunately the following details have been stolen:

    the size of the folding bicycle you are selling,

    the colour of it,

    the area its located in ,

    and the phone number to ring if interested"

  15. Wensleydale Cheese Silver badge

    "Whats the problem? dont people put their CVs on these websites because they want the world to see them?"

    But I don't want to be pestered by someone who thinks I want to work on a product that was already in its death throes 20 years ago. I didn't particularly like that product then, and I certainly don't want to go back to it now.

  16. Dave Harvey

    ISO Rubbish

    "It has all the appropriate security certificates and ISO certifications in place, which we believed would ensure that the website environments would be secure and safe in their hands."

    Does ANYONE still believe that ISO "quality" certifications have any value whatsoever?

  17. Gordon Pryra

    Blame Dodgers

    Bollocks, the fault is PageGroups and noone elses.

    They gave access to CapGemini and any blame falls squarley on their own door step.

    If they had NOT given access to that data to a 3rd party then their customers details would be safe.

    Any company using this bullshit excuse and trying to shift the blame needs to be strung up by their testicles.

  18. tiggity Silver badge


    Was there proper info given on how the password was stored (the "encrypted into a code comment was laughable" in it's uselessness)

    Was combo hash / encryption used?

    Was it a laughably outdated encryption method that can be brute forced in a coffee break / totally exposed via lookups on rainbow tables?

    There's lot's of ways of storing password NOT as plain text, only some of them are useful rather than security theatre.

    Given the liking for Private Eye references on El Reg, wheres the CrapGemini usage gone, it should be in the article not having to wait for the first comment?

  19. Calleb III

    And that Ladies and Gents is why "normal" people desensitise DBs before refreshing UAT/DEV environments. Especially when sending them to 3rd parties. Double so when the 3rd party is Crapita/Crapgemini etc.

  20. John G Imrie Silver badge

    "Capgemini fully manage our PageGroup websites and is regarded as a global leader in consulting, technology and outsourcing services. It has all the appropriate security certificates and ISO certifications in place, which we believed would ensure that the website environments would be secure and safe in their hands."


    We looked at them and their fig leaf was impressive

  21. Pliny the Whiner

    "We looked at them and their fig leaf was impressive."

    And we looked under their fig leaf and were envious.

  22. Tubz

    Going to be expensive for PageGroup and CapGemini !

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2018