back to article Guardian loses half a million CVs

The Guardian newspaper's jobs website has warned 500,000 users that hackers may have got hold of private information held on the site after a "sophisticated and deliberate" attack. The paper said not all users were at risk, and it has emailed those who are. The email, sent on Saturday, said data relating to job applications " …

COMMENTS

This topic is closed for new posts.
  1. Law
    FAIL

    Errrmmmmm....

    "2) Contact a credit reference agency: Callcredit, Equifax or Experian provide suggested steps to resolve the situation and prevent it happening again."

    Prevent it happening again? What are they going to say, trust any online or government agency with your data!?

    These agencies and job sites need vetting now anyway - they've got away with dodgy data sharing activities for years. I haven't uploaded or applied to a job in over 3 years, and despite cancelling the one account I did create all those years ago (Reeds Recruitment), my details are being passed between every dodgy agency in the UK, usually suggesting jobs in the place I was moving away from 3 years ago, 250 miles away from where I'm living now.

    Hilariously, I'm always very aware of dodgy check boxes and t&c's, and will always opt out of being shared with other companies, but for some reason, all these agencies seem incapable of telling me where they are getting my details, insisting I must have signed up to them at some point, which is total crap. Ah well.

  2. Graham Anderson
    Unhappy

    wil they pay for my Experian?

    When my employer lost a disk with my details on it, the company paid for me to get Experian credit watch. Will the Guardian cough up for Experian/CIFAS subscriptions for all affected users?

  3. Pete 2 Silver badge

    All webiste attacks are sophisticated or complex?

    None are ever reported as stoopid [sic] dumb, simple or obvious.

    Same with police reports when they "solve" an internet scam: these scams are always described in ways that make the perpetrators look like evil geniuses, but not quite as clever as the brain-boxes the fuzz employ. While these all make for nice, juicy headlines I can't shake the impression that they're just talking up the level of skill employed (by all sides) to flatter themselves.

    What would be nice would be some factual reporting, without the hype. So instead of describing a breach of security as using complex techniques, why not just come out and say when the crime was merely the result of idiotic, negligent or lazy implementation of poorly understood, rushed or skimped preventative measures that anyone over the age of 6 could have hacked past.

    At least then we could all feel a lot safer in the knowledge that there aren't a load of internet criminals with IQs over 150 roaming free. You never know, by realising just how simplistic some of these crimes are, we might start holding the guardians of our data to account for ttheir loss.

  4. Jon Press

    Is The Guardian...

    ... offering to pay the GBP12 pa charge for CIFAS registration? It would amount to a mere GBP 6 Million per year for those half milion people. Since Guardian News & Media apparently lost around 37 Million in the last financial year it would be a drop in the ocean.

  5. Barry Stamp, checkmyfile

    Misleading warning

    A CIFAS Protective Registration should only be posted if a person suspects that they are a victim of ID fraud. Placing a CIFAS Protective Registration on your credit files can cause problems - no lender (who is a member of CIFAS) is able to assess credit automatically when such a warning is on a credit file - so subjective assessment is used in lieu, which is less accurate, and therefore leads to a greater incidence of declines. Secondly, if you are applying for credit where staff may either be busy or not well trained (e.g. in a retail shop that offers an immediate discount when you take out a store card), then you are very likely to be declined after an embarrassing wait at the till. They are great if you really feel that you are at real risk of ID fraud, but like using a chainsaw, don't use it without thinking about the risks.

  6. Anonymous Coward
    FAIL

    I want to know who's perpetrating all the sophisticated and accidental attacks

    or are there a huge number of lucky idiots running around giving it "Oops, I accidentally the entire database"?

  7. tKe
    Joke

    New job posting on Guardian Jobs

    Required: 1 security adviser. Urgent start.

  8. Graham Dawson Silver badge
    WTF?

    Confusing it is

    I was apparently one of the people affected by this, even though I don't remember signing up to the Guardia in the first place. It must have been years ago.

    Anyway, I tried signing in on the e-mail address they'd contacted me at and lo and behold, my account was gone. Had they expired it before the attack? Or had the attack somehow deleted it? But if it had, how did they contact me?

    I get the feeling they haven't just e-mailed the people affected. they've emailed everyone who was ever registered even if they don't have sensitive details on their database any more. Of course the alternative to that is that they're holding my information without providing any way for me to remove it, which I understand is somewhat illegal...

  9. Anonymous Coward
    Anonymous Coward

    Well, at least they admitted it

    How many such hacks go unreported? Are companies legally obliged to let us know if they lose data, or do we have to rely on them being honest?

  10. BigSpoon0
    WTF?

    Re: Confusing it is

    I find myself in the same boat. Email received on Saturaday morning, attempted sign in without luck. Even asking for a password reminder on the email address they sent the email resulted in an error.

    I will be contacting them for an explanation of this.

  11. Anonymous Coward
    Anonymous Coward

    CVs

    Could it be an employer trying to get round all the bloody job agencies to access the original versions of the CVs?

    I'm not sure whether or not to add the 'Joke Alert' icon ...

  12. Anonymous Coward
    Anonymous Coward

    The answer -

    Do not allow any agencies to ask for, or record, any information not pertinent to the service they provide i.e advertising a position for a third party.

    Job agencies are not providing the employment only facilitating it, why do they need to know DOB,NI etc. this information should only be collected after a job offer has been made.

    Non-government agencies should not be allowed to ask for DOB or NI details unless they are bound by an agreement that makes them liable for data misuse. Any misuse / mismanagement should result in an automatic fine sufficient to offset any loss the effected suffer i.e. the effected persons earnings for life.

    This business of allowing third parties access to the personal information of job seekers is simply a recipe for disaster and makes it far easier for bogus candidates as the agencies prep the candidated.

    Employers complain that they find it so difficult to find the right person for the post even when their own H-R staff numbers are increasing, why? The reason is that H-R people only know H-R, at best, and hence have only second hand information as to any position's requirements.

    I have interviewed people for employment and I agree it is tedious, however who is better qualified to choose the right person for a job that the person who knows all the position's requirements.

    H-R and job agency staff typically have little understanding of matters outside of their own field and even the best job description is open for misinterpretation.

    Advertise directly and get the right person for the job, it takes time but it is worth it in the end. If you chose the right person for a job you only have to do it once, use a third party and you will be training staff forever.

  13. Andy 97
    WTF?

    Fuckwits!

    I can't believe this happened.

    Please tell me it was an inside job instigated by the hateful Daily Mail rag to get back at the Manchester paper.

    And to think, I nearly took a job there too.

  14. Ken Hagan Gold badge

    Half a million?

    Does the Graun really have that many readers, let alone readers who have posted their CVs to the jobs site? That would mean that 1 or 2 percent of the entire UK working population were users of the site. Seems excessive/optimistic. Perhaps the site has been scraping from other places, which means that at least some of the affected souls probably weren't even aware that their data was stored there.

  15. Mark 186
    WTF?

    I was affected...

    Knowing The Grauniad, the attack probably exploited typos in their code.

    They should take serious steps to resolve this, it has the potential to create financial misery for me and 499,999 others.

  16. MinionZero
    Big Brother

    If we keep leaking data at this rate...

    Its starting to look like the UK will be the first country in the world to offer total open source intelligence on its entire population! :(

    Other countries can't wait for more free into to help them get richer in every way they can, all at our expense, e.g.. http://www.wired.com/dangerroom/2009/10/exclusive-us-spies-buy-stake-in-twitter-blog-monitoring-firm/

    The UK companies and government are rampantly abusing our privacy at every turn, yet they are treat security like its a joke. Maybe it is a joke and they are laughing at us for putting up with it all. :(

  17. Anonymous Coward
    WTF?

    Grauniad Kached?

    Today the Grauniad newspaper had to admit it's webtise had been kached, a spekosman for the paper said "most sucsbribers should be nife as on one will be bale to read their CV's ude ot poor spoling".

  18. Tom_
    Unhappy

    I'm angry about this.

    I applied for a couple of jobs through their website around four years ago. Later, I closed my account. This weekend I got the email advising me to clear up their mess at my own expense.

    They shouldn't even have had any of my details on file.

    Does anyone know how I can extract from them the details that they did actually lose? I don't want to go to the effort and expense of dealing with this mess if they haven't actually lost any important data of mine.

    Where's the law in all this? If they have caused half a million people stress and expense through their own failings, shouldn't there be some kind of gigantic fine for that?

  19. KrisM
    FAIL

    can't even change the password...

    My G/F received the email from them, and logged in to check. No CV on file (she tended to send CV with job application apparently), but then we looked at all the past jobs she had applied for - they system says it keeps the last 6 months, but there are jobs going back to March 08 in there!! There is no way (that we could see) that allowed her to clear off the past applications, or CV's that were contained within. Furthermore, we could find no way to change the account password - 'My details' and 'Your Account' were both on the site, but went to the same page which only allowed you to view CV's uploaded and past appointments. So how do you change a password on the acocunt then??????

  20. Anonymous Coward
    Thumb Down

    Who puts

    their credit card number in their CV?

  21. Anonymous Coward
    Coat

    Free Our Data

    Do you think they're taking their Free Our Data campaign a little too far here?

  22. Number6
    Big Brother

    Leaving your details around

    I'm afraid I don't post my CV to 'open' job sites. It normally only goes to employers and occasionally to agencies if they've managed to make up a job description that interests me.

    It's not paranoia if... etc.

  23. Bernie 2
    Thumb Down

    worrying

    Recruitment agencies and job sites seem to be passing our details around like Pokemon cards at an eight year old's birthday party. Would be nice if one of these losers could stop playing Tetris and actually find someone a job while they're at it.

  24. GP08

    Data Protection Act Anyone?

    If they are emailing people who have had no contact with the company for years or even tried to remove their accounts, I wonder what the DPA would have to say about it?

  25. Anonymous Coward
    Big Brother

    This could be a disaster for the chattering classes

    What if there weren't any diversity co-ordinators or street theatre facilitators? No health and safety executive assistants, no bio diversity officers, no five a day monitors, no smoking cessation co-ordinators. No parking enforcement wardens, no litter rapid response teams, no noise abatement outreach facilitators, no recycling monitors, no penalty inspectors, no real nappy organisers etc.

    What an awful place the UK would become. Maybe we'd ALL get a substantial reduction on our Council tax instead.

    Shudder!

  26. This post has been deleted by its author

  27. captain veg Silver badge

    Re: Half a million?

    Guardian.co.uk is the widest read UK newspaper website, currently.

    http://www.guardian.co.uk/media/2009/oct/22/abce-guardian-telegraph-mail-online

    -A.

  28. Flakey

    I find this.......

    ...very strange that the Guardians website is hacked so soon after their technology editor advocated the hacking of the BNP's website. Maybe his time would be better spent making sure the site is secure. Careful what you wish for....

  29. Stevie

    No Worries

    I'm sure that in the light of the various stupid personal data losses by American banks over the last three years all this information was properly encrypted.

    I mean, who would be so monumentally irresponsible to store reams of unencrypted personal data on a web server?

  30. Anonymous Coward
    Alien

    ..Credit Ref agenecies

    .... Contact a credit reference agency: Callcredit, Equifax or Experian provide suggested steps to resolve the situation and prevent it happening again.

    When a Bank etc gives wrong info to Callcredit, Equifax or Experian try asking the agency to right it - they won't correct it unless the Bank agrees(and it takes 6mnths-1 year) so you pay higher interest to the Credit Agencies client.

    Trebles all round!

    an easy way to track who sells your info... set up an domian and redirect an address mailmeXXX@mydomain to a catchall (xxx is your job application ref) - you read the catch all and doesnt take long to work out the f***wit selling your data.. then send a nice letter to a Director..

    on one business site we set up emails addressess for every business partner using their name eg guardian@domain if we tried to partner with guardian

    not even 1 spam email 2 years later...

    f***wits all of them

  31. zenkaon
    Joke

    Don't worry

    The grundian will have put your CV through their editorial ysstem and ensuured that yourCV is spelled corectly. You prbably won't recognisse your addresss.

  32. amanfromMars 1 Silver badge

    Were that it were so simple.

    "At least then we could all feel a lot safer in the knowledge that there aren't a load of internet criminals with IQs over 150 roaming free." .... By Pete 2 Posted Monday 26th October 2009 09:56 GMT

    Pete 2, They are only criminals if caught and convicted of a crime. Until such a time/times, are they shrewd entrepreneurs and astute business persons/operators.

  33. Tim Brown 1
    Troll

    Aren't the Guardian going a bit over the top?

    If simply having your CV enables someone to steal your identity then no-one anywhere is safe.

    What's more, all I have to do is post a fake job ad in a popular industry (media for example) asking people to send in their CVs to harvest a few hundred identities.

    Our society is getting more and more paranoid by the hour.

  34. adnim

    CV details

    Is it really necessary for a jobsite to know your address? Admittedly in the past have have supplied these details on my CV. But for quite sometime now my CV address consists of the town I live in and a pay as you go mobile phone number. Only an employer needs to know your full address, home telephone number, date of birth, national insurance number and bank details, and then only when you take up a position.

    Email addresses are something else, use a disposable one and unsubscribe from the spam that comes from real agencies and training providers. Or as suggested go on a crusade, determine who's sharing your data and threaten, preferably with a solicitor.

    As for the sharing and or selling of personal and what should be private information amongst agencies and so called partners, we need a few court cases and big fines, or stronger data protection law to deal with it.

  35. Anonymous Coward
    FAIL

    Look at the bright side

    It was ONLY half a mil.!!!

    Wankers could have lost more.

    Wait, I'm sure they're still working on it.

    Think I'll have a little lie down now.

  36. Anonymous Coward
    Grenade

    Hmmm...

    It'd be interesting to see what would happen if the people affected by this took the Guarding to the small claims courts to reclaim the cost of using a credit watch agency... if only a 1,000 or so did it (individualy, not as a group), it would cost the Guardian a serious amount of time and money.

  37. M3JMI

    @AC 11:14 - The answer

    Re DOB - Its illegal for an employer to discriminate against age of a candidate so NO recruitment company needs your DOB

    Re NI - A Recruitment Company only needs this information if you either get the job

    A recruitment company only needs the above information if you need security clearance

    This article is about the Guardian Website not Recruitment Companies. The difference is that Site like this and Jobsite, Monster, Jobserve etc.. Store CV's on Web Servers so they can be accessed by Recruitment Companies & Employers

    A recruitment Company Stores your DC within a Database on its own Server not connected to the Internet

    I don’t entirely agree with your comments re recruiters…

    I am the IT Manager & Data Controller for a Specialist Recruitment Company

    Our Consultants are all specialists in their fields.. As it is with other smaller agencies agencies…

    I will admit that some of the Larger Agencies do employ general Sales & Admin staff that have little knowledge of the types of people needed for certain roles.. But that can also come back on people like yourself.. If you don’t provide them with enough information about a position you are looking for then how are they supposed to find someone that you will like.. So it’s a bit of both really.

  38. Anonymous Coward
    Black Helicopters

    Could it be....

    ..the government's fault. Maybe they're trying to coerce *Manchester* based Grauniad reading types to sign up for an ID card??? I suspect the spooks had something to do with this.

This topic is closed for new posts.

Other stories you might like