Both Authentic Jobs and Sonic Jobs have exposed more than 200,000 CVs, subsequently making them publicly accessible to possible threat actors.
Security researcher Gareth Llewellyn discovered the data breaches.
Authentic Jobs, a US-based jobs board utilised by companies including the New York Times, made 221,130 CVs publicly accessible. Whilst Sonic Jobs, a UK jobs app used by companies including the Marriott, exposed 29,202 CVs.
It is assumed that the total number is higher, as the service that was used to identify the leaks refreshes irregularly.
The firms exposed the CVs by setting their “buckets” on their cloud storage services, which was provided by Amazon Web Services (AWS) as public, therefore those who applied for jobs using the firms had their CV publicly available for anyone to view and download.
Shortly after being notified the buckets were made private.
Many of the CVs included names, addresses, career histories and phone numbers, all of which can be exploited.
One student, Akilah Elder, who had used Sonic Jobs told Sky News: “I trusted these people to do what they were supposed to do, which was to help me find a job and now everyone can access my data.”
In a statement to Sky News, Sonic Jobs said that it was reviewing the storage system:
“With limited resources, as a small business, we are confident that we take reasonable and proportionate measures to protect the confidentiality, integrity and availability of our business data and the personal data we hold.”
“By finding and closing these buckets we can protect people who placed their trust in these businesses and – hopefully – start drawing attention to the dangers of storing personal data in a woefully insecure manner.”
Amazon said in a statement that its AWS buckets were secure by default, therefore the responsibility lies within the companies utilising its cloud services. Llewellyn agreed with this statement:
“Just because they leveraged a service like AWS, or even outsourced to a third party entirely, doesn’t preclude them from ensuring the data entrusted to them is safe.”
The post #Privacy: Hundreds of thousands of CVs exposed online appeared first on PrivSec Report.