Global recruitment firm Michael Page leaked 30Gb of job seeker private contact, employment and salary information, in a repeat of the very same circumstances that saw blood donor data leaked a fortnight ago.
It is almost incredible to think a web developer would enable directory browsing on a public-facing website and store their database backups in that very same folder.
Yet, that is what the Australian Red Cross Blood Donor service web developers did, resulting in about 550,000 donor's confidential information being exposed last month.
It is even more incredible to think this would happen and then happen again. Yet, this is exactly what has transpired in the case of global recruitment firm Michael Page.
Not only did Michael Page's web developers repeat the same mistake - enabling directory browsing on a public-facing website and saving database backups to it - but they continued to do so after the news of the Australian Red Cross Blood Donor data leak emerged.
This author can only shake his head in dismay and suggest the same lack of personal diligence and commitment to quality solutions by the individuals responsible also leads them to not pay attention to news about their field.
In essentially a play-by-play repeat of the last month's breach, a security investigator trawling the web for web servers with directory browsing enabled came across Michael Page's site. Just as before, this site included database backups.
In this case, the backups held over 30Gb of raw data from global job seekers, representing millions of unique individuals, and included their name, email address, telephone number, location, employment field, current job, and cover letters.
The individual who uncovered this made it known through Troy Hunt who identified consulting firm Capgemini as the responsible party.
{loadposition david08}Michael Page has sent emails to affected clients, and the individual who made this vulnerability known has deleted his own copy of the data.
Of course, as with the Australian Red Cross, there is no telling how many people had previously discovered this data and downloaded it previously.
It would be a reasonable prediction we are going to see this very same story again in the near future.
We have this one individual who has now single-handedly identified the same flaw with two websites and is most certainly continuing his probing, and we can suggest others will be using the same technique.
To be explicit, this data has not been exposed by exploiting any security vulnerability in a server or software, or via any social engineering or trickery. The simple fact is irresponsible web developers and systems administrators exposed data by a lack of diligence and vigilance. They enabled directory browsing on a public facing website and worse, they saved database backups to this very same public-facing directory browsing-enabled website.
In the case of Michael Page's data leak, Capgemini continued this practice despite reports of the Australian Red Cross data breach and how it occurred.