Global consulting, technology, and outsourcing services firm, Capgemini, has been named as the IT service provider behind a massive data breach that saw the personal details of potentially millions of job seekers exposed on the internet.
The breach, which was revealed by Troy Hunt, operator of the havibeenpwned.com website, on 10 November, is thought to have involved more than 30 GB worth of data belonging to UK-based recruitment firm, Michael Page – which has offices around the world, including Australia.
Hunt, who revealed the Australian Red Cross Blood Service data breach late last month, was sent a 362 MB compressed file from an anonymous source which, when extracted, turned out to contain 4.55 GB of data, revealing the details from 780,000 jobseeker records.
According to a Michael Page spokesperson, the company understands that the records of 711,000 candidates were accessed by two individuals “without malicious or fraudulent intent,” with candidate data relating to China, the Netherlands, and the UK.
In its capacity as Michael Page’s IT partner, Capgemini was alerted to the incident on 31 October. The data accessed was related to candidates only, and contained identifying information with 10 fields, including telephone number, location, current job, and job type.
“After verifying the nature and credibility of the risk, Capgemini immediately locked down access to the affected areas on the morning of 1 November 2016,” the spokesperson said. “This was followed by discussions with Troy Hunt.
“Due to the nature of the data, there is limited risk of fraudulent activity for those affected. We can also confirm that no other data has been compromised,” the company said. “We are deeply disappointed that this breach occurred and wish to apologise to those affected.”
According to Hunt, the file was sent from the same person who uncovered the Australian Red Cross Blood Service file that represented a sample of the 1.28 million records contained in a 1.74 GB MySQL database back-up that had been accidentally published to publicly-facing website, in what is understood to be Australia’s biggest data breach to date.
Like the Red Cross Blood Service incident, the Michael Page breach was revealed thanks to the discovery of an underlying risk on the server end, with .sql files exposed on a publicly-facing website, with directory listing enabled, according to Hunt.
In a blog post, Hunt claimed that the person who sent him the leaked file said sent a message saying that, “Michael Page is Capgemini.
“This changed things somewhat because Capgemini is a multinational consulting and outsourcing firm with 180k people across 40 countries,” Hunt said in his post. “As the messages flowed, the story that unfolded was that whilst it was Michael Page's data, it was Capgemini that had exposed it.
“Coincidentally, I had a contact within Capgemini so I reached out to him on Monday 31 with the preface of "you're probably about to have a very bad day". It turned out to be more like a bad week as they worked to understand the scope of the leak and remediate the underlying risks,” he said.
According to Hunt, all known copies of the data have since been removed.
"We have worked very closely with PageGroup to investigate this incident. Our work has established that this was not a malicious attack and we are not aware of any broader dissemination of data or fraudulent activities as a result of the incident," a Capgemini spokesperson told ARN in a statement.
"Privacy and security are key priorities for Capgemini and we are reviewing the security procedures and data protection measures we have in place to protect our customers’ data and proprietary information," the spokesperson said.
The data breach comes as Capgemini’s Australian business joins Accenture, IBM, and Hewlett Packard Enterprises on the government’s panel of IT service providers that will undertake the billion-dollar overhaul of Australia’s welfare payments system.
Capgemini and Accenture will work with the department, and its preferred core software vendor, SAP Australia, on the design work that will play a key part of the next phase of the project.