A UK recruitment firm exposed sensitive applicants data for months