The personal details of 250,000 American and British jobs seekers have been exposed after two online recruitment companies failed to set their cloud storage folders as private.
Each company stored the resumes of hopeful job applicants in cloud storage folders known as buckets. The buckets were provided by the world’s biggest cloud service, Amazon Web Services (AWS), which stores data in servers connected to the internet.
Applicants’ data was exposed when both companies set the privacy settings on their buckets to public instead of private. This error meant that the resume of someone who applied for a job could be viewed and also downloaded by anyone who knew the location of the buckets.
Authentic Jobs, whose client list includes accounting firm EY and newspaper the New York Times, made at least 221,130 resumes publicly accessible. A further 29,202 resumes were exposed by app Sonic Jobs, which international hotel chains Marriott and InterContinental often use to recruit new staff.
According to Sky News, which revealed the bucket-related breaches yesterday, the total number of resumes exposed may be higher.
After being warned of the exposure by Sky News, both companies changed their bucket settings to private.
“We take security and privacy very seriously and are looking into how this happened,” Authentic Jobs said in an email.
Security researcher Gareth Llwellyn, who discovered the bucket breaches, said: “By finding and closing these buckets we can protect people who placed their trust in these businesses and—hopefully—start drawing attention to the dangers of storing personal data in a woefully insecure manner.”
Authentic and Sonic will now join Verizon, Dow Jones, GoDaddy, and WWE on a growing list of organizations that have exposed data via publicly configured AWS buckets.
Llewellyn said that the onus is on companies to ensure the data that they store in the cloud is being stored safely.
“Just because they leveraged a service like AWS, or even outsourced to a third party entirely, doesn’t preclude them from ensuring the data entrusted to them is safe,” he said.