Experts Reaction On UK Job App Exposes Thousands Of CVs Online

It has been reported that Sonic Jobs, a UK retail and restaurant jobs app used by the Marriott and InterContinental hotel chains, has exposed over 29,000 CVs online revealing job-hunters’ names, addresses, phone numbers and career histories to potential cyber criminals. The firm made the settings on their cloud storage buckets public, which meant that when someone applied for a job their CV was available for anyone who knew the location of the bucket to see and download it.


EXPERTS COMMENTS
Chris DeRamus , Co-founder & CTO,  DivvyCloud
October 21, 2019
Even though Amazon S3 buckets are private by default.
AWS is the biggest public cloud service in the world, and companies around the world are flocking to the cloud for its ease, speed and accessibility in order to operate more effectively, enhance customer experiences and remain competitive. However, often times companies adopt the cloud without the expertise or correct tools in place to ensure security. Even though Amazon S3 buckets are private by default, the self-service nature of the cloud means that users not familiar with security settings and best practices can easily alter configurations, leading to catastrophic data leaks, such as this instance. As showcased by the data leaks from Authentic Jobs and Sonic Jobs, this type of misconfiguration almost always results in exposure of very sensitive, personally identifiable information that directly affects customers. To avoid these misconfigurations and corresponding data breaches, organizations must adopt proper cloud security and compliance strategies at the same time as adopting cloud services. You cannot have one without the other. Platforms that provide automated remediation in real time are most effective in preventing misconfigurations or other security risks, especially given the rapid rate of change in cloud environments.
Stephan Chenette , Co-Founder and CTO,  AttackIQ
October 21, 2019
Unauthorized exposure of any type of customer data is a serious issue that may impact them well into the future.
Unfortunately, it does not take much for cybercriminals to find databases left open to the public and access personally identifiable information. There are tools designed to detect misconfigurations within cloud-tools, like Amazon's S3. Authentic Jobs and Sonic Jobs left a total of 250,000 customers’ records vulnerable by leaving the buckets public. Any organization that collects and stores consumer data must make securing that information a priority. Unauthorized exposure of any type of customer data is a serious issue that may impact them well into the future. It’s imperative for companies to continuously evaluate the cybersecurity posture of their IT environments, including cloud databases, and validate their security controls are working as expected and properly preventing, detecting and alerting so your security team can respond in a timely manner to any unauthorized access.
Javvad Malik, Security Awareness Advocate,  KnowBe4
October 17, 2019
Cloud services such as Amazon's AWS S3 buckets make it very easy and cost-effective for companies.
Cloud services such as Amazon's AWS S3 buckets make it very easy and cost-effective for companies to store large amounts of data which can be quickly accessed from any location. Unfortunately, not applying the proper permissions can result in the same masses of information being exposed publicly, and by extension to any criminal. CVs, in particular, contain a wealth of personal and private information that can be used for many nefarious purposes to steal their identity or use employment history and details to attack previous employers. Ultimately, a trivial user error caused the issue, so it's vitally important that companies foster a strong security culture so that even those who aren't directly responsible for security, see the value in it and seek to implement it properly.
Sergio Loureiro, Cloud Security Director ,  Outpost24
October 17, 2019
This is definitively not the responsibility of AWS, but of Authentic Jobs and Sonic Jobs.
This is definitively not the responsibility of AWS, but of Authentic Jobs and Sonic Jobs. There is no excuse for such a misconfiguration, default settings by AWS are good and there are plenty of tools to check for that kind of misconfiguration, such as Cloud Security Posture Management (CSPM) tools (according to the Gartner terminology). Yet another example of enterprises being sloppy with personal data, which they are responsible for!
Sam Curry, , Chief Security Officer,  Cybereason
October 17, 2019
For potential employees, the goal is getting your resume in front of as many people as possible.
For potential employees, the goal is getting your resume in front of as many people as possible. And while the dark side of the web isn't used by employers, there are many resources and sites that job seekers commonly use to promote their candidacy. What we don't know is if these resumes contain personally identifiable information that isn't publicly available on sites such as LinkedIn and could be used for compromise. If the answer is yes, this story becomes more serious. If there is more data being exposed, the story will take on a larger life and have more serious implications for job seekers.
Tim Erlin, VP of Product Management and Strategy ,  Tripwire
October 17, 2019
This is yet another instance of misconfigured AWS storage buckets.
This is yet another instance of misconfigured AWS storage buckets. These misconfigurations are at the heart of millions of disclosed records. Any organization using cloud storage must regularly audit the permissions to ensure these kinds of breaches don’t happen. When you apply for a job, you share sensitive personal data with the jobs board and the companies to which you’re applying. It’s their responsibility to protect that information from disclosure.
Robert Ramsden Board, VP EMEA ,  Securonix
October 17, 2019
Data breaches involving Personally Identifiable Information (PII) often lead to huge fines.
This is another incident of an organisation deploying new technology without considering the security implications. If the data was accessible to anyone with an internet connection then there is a high chance it already has been accessed by unintended parties. Data breaches involving Personally Identifiable Information (PII) often lead to huge fines, reputational damage, and loss of trust. Not to mention the enormous impact on the individual from identity theft to financial compromise. This should be a lesson to organisations that any documents, servers or databases should always be secured and at the very least password-protected.”

If you are an expert on this topic:

Dot Your Expert Comments

SUBSCRIBE to alert when new comments are posted on this news. :



Join the Conversation

Join the Conversation


In this article