Cisco has issued a security advisory stating that a portion of data belonging to its job seekers was discovered online by an independent security researcher.
Cisco has warned aspiring applicants to beware of a mobile site data leak and be cautious while applying through its Professional Careers Mobile site. The company has emailed the users of its mobile careers site to warn them about ways through which a portion of their personal data was exposed.
Mjobs.cisco.com, the company’s mobile careers site, reportedly contained an incorrect security setting resulting in leaking applicants’ data.
According to the advisory statement released by Cisco, the incorrect security setting was caused after system maintenance was conducted on a third-party’s website. This incorrect setting was identified to be in place between August-September 2015 and July-August 2016.
The advisory further revealed that:
“An independent security researcher discovered that a limited set of job application-related information on Cisco’s Professional Careers mobile website was accessible (https://mjobs.cisco.com). Cisco’s investigation found this to be the result of an incorrect security setting following system maintenance on a third party’s website. Upon learning this, the setting was immediately corrected and user passwords to the site were reset. Upon learning this, the setting was immediately corrected and user passwords to the site were reset. We do not believe that this information was accessed by anyone beyond the researcher who found and reported the issue.”
The flaw was discovered when the company observed an “unexplained, anomalous” link to their server during the abovementioned period.
The revelations were made by Cisco on October 25 through a breach notice registered with the Californian Attorney-General.
The company maintains that the impact of the data leak was restricted to a limited portion of information related to job application but it indeed was directed towards obtaining personal data including name, race, gender, address, veteran status, username, password, security questions answer, disability status, education, professional profile, resume text and cover letter.
Cisco stated that it has reset all the user passwords and also disabled the option of accessing the website through security questions. Cisco further stated that the company will continue to investigate the incident and has vowed to undertake steps for mitigating such threats and incidents in the future.