Bill GoodwinA leading UK recruitment consultancy this week had to install
emergency security measures to block public access to personal
details of thousands of jobseekers.
A Computer Weekly investigation has revealed that
jobseekers' CVs, containing details of careers, salaries, home
addresses and phone numbers, could be viewed and downloaded until
this week from the online database of Reed Solutions.
The company is ranked among the UK's top five high street
recruitment consultancies and boasts Barclays Bank, Sony and
Computer Associates among its clients.
The database could be accessed by unauthorised individuals on
the Internet without the use of passwords, or any form of
encryption.
The site is run by Reed's web-based recruitment service, Reed
Online.
The security loophole exposes the vulnerability of Reed's
internal computer systems to potential hacking attempts. It raises
a question mark over the standards of security provision for
sensitive client information in all recruitment consultancies.
Mark Owen-Ward, managing director of Reed Solutions, told
Computer Weekly, that the firm would review its security
procedures.
He said: "Reed takes any kind of security breach extremely
seriously. Now that it has been rectified we are investigating
fully how this situation arose and who was behind it.
"As other major internet players such as Yahoo! And Amazon have
found recently, a high online profile brings new threats. Like
them, we have learned from this episode and strengthened our
approach to online business."
The security loophole poses a serious question about Reed
Solutions compliance with the 1998 Data Protection Act which comes
into effect from 1 March.
The Act places strict obligations on companies to protect
sensitive categories of information, including ethnic status, and
trade union membership.
The security breach is also a severe embarrassment for the
recruitment firm as it contravenes its own publicly-stated data
protection policy.
Under the policy the recruitment consultant promises jobseekers
that their personal information will be "kept as secure as possible
through the use of technology and protection systems which are
designed to keep personal data secure".
Reed also promises that it will not pass any personal details to
third parties without the jobseeker's consent.
But the private site allowed Reed staff to view jobseekers'
personal records without having to use any password.
Staff were asked only to type their initials and a branch
number.
This system allowed unauthorised users, who had access to Reed's
internal Internet address, access to highly sensitive data by
typing random two letter combinations and random numbers between 1
and 250.
Reed Solutions said that the site was a temporary holding
database for CVs submitted by jobhunters online, and that its main
database was not compromised.
"As soon as this temporary breach was discovered our security
was escalated and the gap closed within minutes. We are satisfied
that our main client and candidate database remains untouched and
are 100% confident in our system's resilience," said Owen-Ward.
But the security breaches could create a backlash among
jobseekers and employers. Such consultancies rely heavily on the
trust of jobseekers and employers, who regularly share sensitive
personal and commercial information with them.
Any breach in security is certain to tarnish the reputation of
the industry and lead to demands for greater regulation of their
data protection procedures.
Reed Solutions PLC is not affliated to Reed Business
Information, the parent company of Computer Weekly.