Recruitment site in personal data leak

Bill Goodwin

A leading UK recruitment consultancy this week had to install emergency security measures to block public access to personal...

Bill Goodwin

A leading UK recruitment consultancy this week had to install emergency security measures to block public access to personal details of thousands of jobseekers.

A Computer Weekly investigation has revealed that jobseekers' CVs, containing details of careers, salaries, home addresses and phone numbers, could be viewed and downloaded until this week from the online database of Reed Solutions.

The company is ranked among the UK's top five high street recruitment consultancies and boasts Barclays Bank, Sony and Computer Associates among its clients.

The database could be accessed by unauthorised individuals on the Internet without the use of passwords, or any form of encryption.

The site is run by Reed's web-based recruitment service, Reed Online.

The security loophole exposes the vulnerability of Reed's internal computer systems to potential hacking attempts. It raises a question mark over the standards of security provision for sensitive client information in all recruitment consultancies.

Mark Owen-Ward, managing director of Reed Solutions, told Computer Weekly, that the firm would review its security procedures.

He said: "Reed takes any kind of security breach extremely seriously. Now that it has been rectified we are investigating fully how this situation arose and who was behind it.

"As other major internet players such as Yahoo! And Amazon have found recently, a high online profile brings new threats. Like them, we have learned from this episode and strengthened our approach to online business."

The security loophole poses a serious question about Reed Solutions compliance with the 1998 Data Protection Act which comes into effect from 1 March.

The Act places strict obligations on companies to protect sensitive categories of information, including ethnic status, and trade union membership.

The security breach is also a severe embarrassment for the recruitment firm as it contravenes its own publicly-stated data protection policy.

Under the policy the recruitment consultant promises jobseekers that their personal information will be "kept as secure as possible through the use of technology and protection systems which are designed to keep personal data secure".

Reed also promises that it will not pass any personal details to third parties without the jobseeker's consent.

But the private site allowed Reed staff to view jobseekers' personal records without having to use any password.

Staff were asked only to type their initials and a branch number.

This system allowed unauthorised users, who had access to Reed's internal Internet address, access to highly sensitive data by typing random two letter combinations and random numbers between 1 and 250.

Reed Solutions said that the site was a temporary holding database for CVs submitted by jobhunters online, and that its main database was not compromised.

"As soon as this temporary breach was discovered our security was escalated and the gap closed within minutes. We are satisfied that our main client and candidate database remains untouched and are 100% confident in our system's resilience," said Owen-Ward.

But the security breaches could create a backlash among jobseekers and employers. Such consultancies rely heavily on the trust of jobseekers and employers, who regularly share sensitive personal and commercial information with them.

Any breach in security is certain to tarnish the reputation of the industry and lead to demands for greater regulation of their data protection procedures.

Reed Solutions PLC is not affliated to Reed Business Information, the parent company of Computer Weekly.

Read more on IT risk management