Guardian jobs site hacked – personal data compromised (and who else is at risk?)
The Guardian has written to users of its jobs website tonight, informing them that the Guardian Jobs site has been hacked into, and that their personal information may have been compromised.
Unfortunately the Guardian did not say which information this applies to, and left you assuming uploaded CVs were at risk, but unsure if your username (email) and password were also vulnerable.
Is the problem limited to The Guardian?
It is worrying that the same software used to power Guardian Jobs, provided by Madgex, is also used by several other mainstream recruitment sites including, among others The Times, The Sun, The Manchester Evening News, Trinity Mirror titles, Cima, emap and Haymarket (full list here). There is no word yet whether these other sites have also been affected.
Weird wording
What no doubt baffled users of the site who received the warning email was the following statement explaining precautionary measures they should take: “Contact a credit reference agency: Callcredit, Equifax or Experian provide suggested steps to resolve the situation and prevent it happening again.” It is not clear why the Guardian thinks a user can “prevent it happening again”. Presumably by being careful and not submitting personal information on sites such as Guardian jobs? Shirking responsibility?
The wording of the email sent out by the Guardian today:
24 October 2009
Security breach – Guardian Jobs
We learned yesterday evening that the Guardian Jobs website has been targeted by a sophisticated and deliberate hack, which has breached the security of the data on the site. You have used the site to make one or more job applications and we believe your personal data, relating to those applications, may have been accessed.
We are absolutely committed to the privacy of our users, and would like to assure you that we are treating this situation with the utmost seriousness. The matter has been reported to the police, who are now undertaking a full investigation through the police central e-crime unit at New Scotland Yard.
The supplier who runs the site has identified the manner in which it was hacked and taken steps to prevent a recurrence.
We have no reason to believe that any financial or bank data was compromised in this incident. However the police advise that those whose personal data may have been stolen in this way should take a number of precautionary measures. These are outlined below:
1) Contact your creditors, even if they have not been affected, so that they can monitor your accounts to ensure they remain protected.
2) Contact a credit reference agency: Callcredit, Equifax or Experian provide suggested steps to resolve the situation and prevent it happening again.
3) Contact CIFAS protective registration: If you think you have been a victim of identity theft you should consider subscribing to CIFAS. This places a notice on your credit file indicating that your name and address may be used to perpetrate identity fraud.
In addition the following websites are sources of useful information:
www.met.police.uk/fraudalert/
www.stop-idfraud.co.uk
www.banksafeonline.org.uk
www.getsafeonline.org
We will continue to work with the police whilst the investigation is carried out. Please refer to the following page for updates:
jobs.guardian.co.uk/securityupdate.html
Please do not reply to this e-mail.
UPDATE on 25 October: I’ve received a response from Simon Conroy, CEO of Madgex, the company that provides The Guardian with its jobs site, as follows:
We can confirm that hackers accessed the personal details from some job seeker CVs on our client's recruitment website, Guardian Jobs, on Friday 23 October.
We are not aware of any other Madgex-operated website having been targeted in this way, but we have taken preventative measures to ensure the same issue cannot occur with other client Job Boards.
Madgex has an excellent security record and we are continually reviewing our systems and comply with industry standard practices. Unfortunately, no site can ever be warranted as 100 per cent safe from concerted and technologically sophisticated criminal hackers.
This situation has been treated with the utmost seriousness and Guardian Jobs has contacted all those affected by this security breach, advising them of precautionary measures they can take. Madgex and Guardian Jobs are supporting the relevant authorities with their investigations.