Recruiting firms Sonic Jobs in the UK and Authentic Jobs in the United States left as many as 250,000 CVs of applicants publicly accessible, thereby exposing names, home addresses, phone numbers, and other personal records to the public.
The two recruiting firms, both boasting well-known clients across industries, exposed the personal information of thousands of job applicants by changing access settings in their respective AWS cloud storage folders to "public". This meant that anyone with a link to their folders could view detailed CVs of thousands of job applicants.
While US-based Authentic Jobs offers recruitment services to the likes of the New York Times, Tesla, Mercedes and many other major corporations in the United States, Sonic Jobs is among the largest recruitment firms in the UK catering to businesses in retail, restaurants, healthcare, beauty, and other sectors.
According to security researcher Gareth Llewellyn who discovered the exposed AWS cloud storage folders, while Authentic Jobs exposed 221,130 CVs via its publicly accessible folder, Sonic Jobs exposed 29,202 CVs. According to Sky News, the total number of CVs exposedby the recruiting firms could be higher as "the service used to detect the leaks only refreshes irregularly".
"By finding and closing these buckets we can protect people who placed their trust in these businesses and - hopefully - start drawing attention to the dangers of storing personal data in a woefully insecure manner," Llewellyn said, adding that just because businesses use a service like AWS, this doesn't preclude them from ensuring the data entrusted to them is safe.
Recruiting firms are responsible for the security of their AWS cloud storage folders
Sergio Loureiro, Cloud Security Director at Outpost24, said that the exposure of candidates' CVs is definitively not the responsibility of AWS, but of recruiting firms Authentic Jobs and Sonic Jobs.
"There is no excuse for such a misconfiguration, default settings by AWS are good and there are plenty of tools to check for that kind of misconfiguration, such as Cloud Security Posture Management (CSPM) tools (according to the Gartner terminology). Yet another example of enterprises being sloppy with personal data, which they are responsible for!" he said.
"Cloud services such as Amazon's AWS S3 buckets make it very easy and cost-effective for companies to store large amounts of data which can be quickly accessed from any location. Unfortunately, not applying the proper permissions can result in the same masses of information being exposed publicly, and by extension to any criminal," says Javvad Malik, security awareness advocate at KnowBe4.
"CVs, in particular, contain a wealth of personal and private information that can be used for many nefarious purposes to steal their identity or use employment history and details to attack previous employers. Ultimately, a trivial user error caused the issue, so it's vitally important that companies foster a strong security culture so that even those who aren't directly responsible for security, see the value in it and seek to implement it properly," he adds.