UK government jobs website exploited by hackers

Hackers have been able to exploit security flaws in a new government jobs website to steal personal information about job applicants.

The Universal Jobmatch website has been described as a "scammer's paradise" in a Channel 4 News investigation, which uncovered security flaws that enabled access to data including passport scans.

Download this free guide

The importance of web security

Join us as we take a look at the different approaches you can take in order to bolster your web security. We find out how to identify and address overlooked web security vulnerabilities, how security controls affect web security assessment results and why web opportunities must be met with appropriate security controls.

Start Download

• Corporate E-mail Address:

  You forgot to provide an Email Address.

  This email address doesn’t appear to be valid.

  This email address is already registered. Please login.

  You have exceeded the maximum character limit.

  Please provide a Corporate E-mail Address.

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.

You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

The new site was launched on 19 November to replace the Jobcentre Plus website, which was shown to be vulnerable to hackers in 2011.

According to reports, a fake job ad placed by a group of hackers seeking to draw attention to the site’s security flaws was able to harvest the personal details of more than 70 jobseekers, the report said.

Such information could be used for identity fraud or illegal access to email, bank accounts and other online accounts of job applicants.

No security checks are carried out on advertisers, which means anyone is able to register as an employer and publish job vacancies without any vetting taking place.

The website’s security vulnerabilities have been reported to the UK’s privacy watchdog, the Information Commissioner’s Office, which is tasked with enforcing the country’s data protection laws.

In a statement, the Department of Work and Pensions, said: "The site clearly advises jobseekers not to give out personal details such as bank accounts or National Insurance numbers until a job offer has been made. Anybody seeking to acquire personal data by publishing fake job adverts should be aware this is potentially an attempt to commit fraud and that is a criminal offence.

"The security of a claimant's data is of the utmost importance to us and we have a number of checks in place when employers register to use the site. Sadly, there will always be a small number of cases where people seek to get around these checks. If someone is being asked for personal information or details beyond their CV we would recommend they alert Jobcentre Plus immediately."