back to article Graduate recruitment site exposed 50,000 CVs sent to Virgin Media UK

Virgin Media has shuttered a kindergarten-grade bug in a third party website that exposed up to 50,000 résumés it's received over the years, complete with names, street and email addresses of applicants. The vulnerability was due to entirely absent access controls on a public server to which applicants were directed to upload …

  1. Bronek Kozicki

    This is embarassing

    Hope Virgin gets slapped by the ICO

    1. Anonymous Coward
      Anonymous Coward

      Re: This is embarassing

      It'll be the usual wet noodle thing. Personally I think this should be pushed into the criminal sphere, with responsibility travelling up the chain where it belongs, it's not going to get any real attention otherwise.

      1. Halfmad

        Re: This is embarassing

        Correct, until we start seeing directors held accountable it'll always be an acceptable risk.

        1. VinceH

          Re: This is embarassing

          "until we start seeing directors held accountable"

          Although it's not for issues like this, it appears El Gov are taking a step in the right direction - they're going to be doing that when it comes to dodgy cold callers: Government clamps down on nuisance call crooks

          All we need now is a bit of mission creep.

          1. Bronek Kozicki

            Re: This is embarassing

            "mission creep" is one thing I fear from this government. Or more specifically from Mrs May.

            1. Anonymous Coward
              Anonymous Coward

              Re: This is embarassing

              "mission creep" is one thing I fear from this government. Or more specifically from Mrs May.

              Yup. The "creep" bit is there already. And she's on a mission. Uh oh.

  2. Dan 55 Silver badge

    What's all this?

    We'll have no résumé here, this is a .co.uk website for .co.uk people.

    1. Phil W

      Re: What's all this?

      Would you prefer Curriculum Vitae?

      Except this is a .co.uk site not .roman.empire site.

      Romani ite domum!

  3. David Roberts
    WTF?

    Why?

    Were VM using a 3rd party web site?

    Recruitment agent?

    Names should be named!

    1. John Brown (no body) Silver badge

      Re: Why?

      According to whois...

      Domain name:

      campusfutures.co.uk

      Registrant:

      mr andrew wood

      Registrant type:

      UK Individual

      Registrant's address:

      The registrant is a non-trading individual who has opted to have their

      address omitted from the WHOIS service.

  4. Tom Paine

    Shame on Virgin Media for not even giving credit, let alone a bug bounty. Wake up and smell the coffee or the next researcher might prefer to sell the info on the black market. What's the going rate for 50,000 detailed PII records, I wonder?

  5. Anonymous Coward
    Anonymous Coward

    except ...

    It's not even Virgin's responsibility to fix. The firm in question is Campus Futures, they sell University 'recruitment' to large firms. Let's hope they get a grilling over this cock-up ...

    1. BebopWeBop

      Re: except ...

      It is Virgin's responsibility to make sure that it does get fixed though

      1. Prst. V.Jeltz Silver badge

        Re: except ...

        im with AC ,

        I dont see what Virgin has got to do with this.

        1. Anonymous Coward
          Anonymous Coward

          Re: except ...

          "I dont see what Virgin has got to do with this."

          I'm not 100% sure of the relationship between Virgin and Campus Futures, but if it's deemed Virgin are outsourcing the processing of data to Campus Futures, then it's still Virgin's problem. Quoth the ICO:

          "As data controller you will remain liable for compliance with the DPA in relation to both the processing and any sub-processing (whether that processing is carried out in the UK or overseas). It is therefore important that you are satisfied that the proposed subcontracting will not materially increase the security risks to the data being processed nor adversely affect the rights of the data subjects."

  6. Benchops

    Patched? Bug?

    This sounds like basic configuration!

  7. Captain Badmouth
    FAIL

    Security Engineer?

    How did he get that title? Engineer ffs? If he is an engineer and not a wet behind the ears script kiddie he should be ashamed.

    Talking of exposed information, did you know that if you use the confused.com website to search for an insurance deal that they then send you an email with a link to your account - with all the details you've entered "and no need to log in"!

    Wonderful innit?

    I complained and this is the response I got :

    "Hello Mr ****,

    Thank you for your email. My name is **** ****** and I'm a complaints officer here at Confused.com.

    I'm very sorry you're worried about security after using our website. Rest assured this is not the experience we want for our customers.

    After you generated insurance quotes for your ********** flat, our system would have sent an automated email on the day you received your quotes to confirm your cheapest prices. When you click the link in this email you are directed straight into your Confused.com account, and this happens because only the email account holder (yourself) will have access to this link. Additionally, the link can only be clicked a certain number of times and can only be clicked for a period of time (30 days) before it becomes unusable.

    In this case, Mr ****, your Confused.com account could only be compromised if your email account were to be accessed by another person, so we would advise you to keep a strong password and security question on your email account to prevent this from this happening.

    I hope this email clarifies why you were able to access your account without a username and password, Mr ****, and I hope this reassures you that nobody else will be able to do so unless they have access to your email account where they can find the link. As the email can only be viewed by yourself, I've closed your complaint as not upheld.

    I hope that we have been able to resolve your complaint with this explanation, but if you have any further queries, please don't hesitate to contact us again."

    Be warned, this is the level of competence these companies have facing the world.

    1. John H Woods

      Re: Security Engineer?

      Please... Tell us how you replied to that extraordinary piece of wibble

      1. Captain Badmouth
        Flame

        Re: Security Engineer?

        "Dear ****,

        You're new to this, aren't you?

        Here is an easy page to read about why email is insecure and why your company's policy of sending a link which gives direct access to my account with my personal information and that of my family is lunacy.

        http://www.digitaltrends.com/computing/can-email-ever-be-secure/

        I am referring your reply to the relevant government department.

        I forwarded the reply to the ICO. I have had reason to complain to them before over a copy of a power of attorney that was sent by a pension company by email.

        The pension company were forced to apologise to me but the ICO took no further action as it was felt to be an "isolated incident".

        I can't wait to see how this works out.

        Why not try it for yourselves, guys? Just don't put in your correct details. :)

        1. Anonymous Coward
          Anonymous Coward

          Re: Security Engineer?

          Maybe this thread could be updated with events as the unfold?

          1. Captain Badmouth
            Windows

            Re: Security Engineer?

            Gladly, the Reg could even do a separate article on it.

            Most of these companies are in the security stone age, with apologies to neanderthals everywhere.

        2. f-den

          Re: Security Engineer?

          Innocent question: if email is not secure, how would it work otherwise? Surely Forgotten Password on the site would leave you just as vulnerable? Just curious to know as personally I find NOT needing to enter a password on these sites quite convenient

          1. Captain Badmouth
            Big Brother

            Re: Security Engineer?

            The fact that it's not secure doesn't excuse these buggers making it even less so. The whole point is to get these people to tighten up their procedures to make it secure. Forgotten password prompt should require 2 factor authentication. You'll thank us for making your convenience obsolete.

    2. adnim
      FAIL

      Re: Security Engineer?

      "... and "walked" a security engineer through resolving the mind-bending bug".

      So not only was the "security engineer" unaware of the permission settings, he/she could not even correct the problem without help?

      Sigh

      Addendum: It's not a bug, file and directory permissions are a feature. This is just sloppy website administration.

  8. Mutton Jeff

    Tight fekkers

    Not even a years sub !

  9. Prst. V.Jeltz Silver badge

    so none of the first 50,000 degree level educated patrons of the site noticed this?

  10. Wolfclaw

    The only access control VM have is to the wallets of their customers they enjoy fleecing !

  11. Derichleau

    According to the ICO's Legal Team, any organisation can process that information without being prosecuted because according to them, personal information found in the public domain does not require the consent of the data controller.

    So if Virgin are Company A and they've accidentally disclosed this personal information to the public domain, then Company A could possibly face prosecution by the ICO. Particularly when you bear in mind that being a member of a union is sensitive personal information and a typical CV might contain this information.

    Yet according to the ICO, if Company B comes along and decides to process the information that has been disclosed, Company B cannot be prosecuted. Even if they know full well that the disclosure was accidental. If Company B processes this information then the most that can happen to them is that the ICO will tell them that they've unfairly processed personal information and not to do it again.

    I'm currently challenging the ICO's view that information found in the public domain does not require the consent of the data controller.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like