A UK recruitment firm exposed sensitive applicants data for months

The company was informed about the exposed data in December 2020 but it only responded and secured the data in March 2021.




The company was informed about the exposed data in December 2020 but it only responded and secured the data in March 2021.

FastTrack Reflex Recruitment firm recently joined the ranks of other companies that have been affected by data leaks due to misconfigured AWS S3 buckets. This data breach majorly affected the applicants whose CVs containing personal information were leaked, reports the research team at Website Planet.

SEE: UK Recruitment Portal Suffers Massive Data Breach

Attached to numerous CVs were the personal IDs of applicants, including passports, citizen ID cards, driver’s licenses, and skilled worker IDs. All of these constitute direct and indirect applicant PII. Examples of directly identifiable PII include the following:

  • Full names
  • Email addresses
  • Home addresses
  • Dates of birth
  • Passport numbers
  • Applicant photos
  • Mobile phone numbers
  • Social network URLs for some applicants.




It is worth noting that the configuration of the server is not the responsibility of Amazon but rather the company, FastTrack, that is using it as a public cloud storage resource.

A UK recruitment firm exposed sensitive applicant data for months
Example of leaked data (Image: Website Planet)

The bucket, according to Website Planet’s blog post, included 21,000 client files (including duplicates), equating to 5GB of data, which were left unprotected for any hacker or cyber criminal with a malicious intent to take advantage of.

Moreover, tens of thousands of people could be affected by this. As a result of this exposure, FastTrack could receive legislative action from GDPR and the UK’s Data Protection Act 2018. 

The clients could be affected through various criminal acts if cybercriminals found this unprotected database. These include identity theft, fraud, scams, phishing, malware, theft, and account takeover.

The company, on the other hand, will be affected due to their failure to adhere to data privacy laws such as GDPR which could fine it around €20 million, or 4% of the company in question’s annual turnover (whichever is higher).




Additionally, they could possibly face a loss of business due to their existing customers losing trust in their firm and their potential new applicants being driven away. 

SEE: Fake LinkedIn job offers scam spreads More_eggs malware

The data breach was first discovered on 29th December 2020 by the Website Planet research team and the company was contacted on 15th and 17th January 2021 but they only replied on 17th March, after several attempts of contacting them, and the bucket was secured on 23rd March 2021. 

Did you enjoy reading this article? Do like our page on Facebook and follow us on Twitter.

Related Posts