Global recruitment firm Michael Page has been hacked and has admitted in the past hour that a wide range of personal information on 710,000 clients has been exposed as a result.
The company had emailed affected clients to warn that their names, email addresses and passwords had been compromised, claiming that applicants in only three countries - the UK, the Netherlands and China - were affected.
However, following questioning from V3, the company has admitted that a much wider range of information has been leaked.
Michael Page said in a statement that this includes almost all data inputed by clients into the firm's recruitment websites, i.e. full name, telephone number, email address, location, job sector, role, current job (if applying via LinkedIn) and any cover message.
"Due to the nature of the data, there is limited risk of fraudulent activity for those affected. We can also confirm that no other data has been compromised," the company said.
Michael Page claimed that the attack was perpetrated on 31 October and was uncovered the next day, but that the hackers agreed to destroy the data, suggesting that they may have been white hats looking to highlight their abilities.
The company has pointed the finger of blame at its services partner, Capgemini, suggesting that the attackers accessed the data via a development server operated by Capgemini that was used to test Michael Page websites.
Michael Page said yesterday in an email to affected applicants: "We regret to inform you that on 1 November 2016 we were made aware that an unauthorised third party illegally gained online access to a development server used by our IT provider, Capgemini, for testing PageGroup websites.
"We are sorry to tell you that the details you provided as part of your mypage subscription have been identified as amongst those accessed. Since we identified that your data was accessed, we have worked non-stop to fix this issue with Capgemini, which is a global leader in consulting, technology and outsourcing services.
"We immediately locked down our servers and secured all possible entry points to them. We carried out a detailed investigation into the nature of what happened."
Michael Page also suggested that the data had not been "taken with any malicious intent", and that the company had requested that the attackers "destroy or return copies" of the data.
"They have confirmed that they have already destroyed it and we are confident that they have done so," said the firm.
However, Michael Page clients, who include many working in IT, are less than impressed, especially with the use of personal production data on a development server without at the very least encrypting and anonymising it.
"You were entrusted with my data and you have broken that trust by putting my data on a development server and without anonymising it. This is a truly shocking lapse of control by both you and Capgemini," wrote one client.
"It is one of the most basic rules that you do not use personal data in this way. I've been in IT for over 30 years and in every environment I have worked in, any data that contains personal information has been confined to production environments only."
Michael Page clients have demanded to know why it took 10 days to inform them, where the development server was located and the data protection rules applicable, why a development server was made accessible via the internet and whether Michael Page or Capgemini operated "controlled administrator-level access" to the server.
Following the statement today, the company said that it will provide no further public updates. V3 is also awaiting a response from the Information Commissioner's Office over whether it has been informed of the breach, as per the company's legal obligations.
We will update this story as new information comes in.
Michael Page is just the latest in a string of organisations to have suffered security breaches. Yahoo is still reeling from news regarding a major breach in 2014, which it appears to have tried to hush up, while Tesco Bank was breached in an attack last weekend that resulted in the theft of millions of pounds from customers' accounts.
Computing's Enterprise Security & Risk Management Summit returns on 24 November. Entrance is FREE to qualifying IT leaders and computing professionals, but places are going fast, so register now.
Samsung very much in third place behind Android Pay and Apple Pay
Moribund Twitter ads nil, nada, zero users, while revenues fall five per cent to $574m
Wisconsin claims deal could result in 13,000 jobs and $10bn of investment from Foxconn by 2020
Streaming music is the future, whether you like it or not