Ireland resume website breached authorities still not notifiedby Steve Ragan - Apr 1 2008, 20:45
Jobs.ie was stripped of an unknown number of CVs. Authorties are being contact later the company said.
In another example of data loss because of compromised security, Jobs.ie has announced that resumes (CVs) were downloaded in bulk because of an illegally obtained employer account. Simply put, the attackers stole the username and password of an account with employee rights, and downloaded resumes from there.
Dear Jobs.ie Customers, This notice is to bring to your attention a security breach that took place on the Jobs.ie website on Thursday evening, starts the apology letter posted to the website by Huw Taylor. I would like to extend my sincerest apologies to all our Customers who have been affected by this and assure you that we are taking every measure to insure that this won't happen again. A dedicated 24 hour customer helpline has been set up to deal with any further questions or concerns you may have.
The Ireland based site is worried that applicants will fall victim to Phishing scams that are the result of the lost information. They are concerned that applicants will get snared by responding to job offers based on information that was submitted. "All of the people affected have been contacted and informed of the situation. We have urged them to exercise extra vigilance with inbound e-mails in the coming weeks to ensure online security," a spokeswoman said.
Jobs.ie would not give exact details on how the criminals obtained the access information (likely Phishing or Malware) or the exact number of resumes downloaded. Oddly, the website said that they have contacted the Data Protection Commissioner, but not the authorities. They said that they would contact authorities after they determine the exact location of the IP address where the attack originated. (Thanks to spoofing however, it is seriously unlikely they will get proper information.)
In the meantime, in an email sent to affected site members, the company urged them not to give any personal information until it had been established the contact was legitimate. In addition, they asked users not to give out personal banking information, not to share passwords with anyone, and not to open e-mail attachments if the client was suspicious, especially .exe files.