back to article Digital burglary at recruitment agency Morgan Hunt confirmed

The bad news keeps on rolling for British recruitment agency Morgan Hunt amid confirmation it suffered a digital burglary, with intruders making off with the personal data for some of the freelancers on its books. In a letter to contractors, Morgan Hunt – which provides personnel services to clients in the charity education, …

  1. Dan 55 Silver badge
    Facepalm

    "In the wrong hands" they say

    It will get into the wrong hands and identity fraud will be committed, that's how getting pwned works.

    And from the quoted text it seems they couldn't even cough up for a year's worth of Experian fraud monitoring.

    1. Anonymous Coward
      Anonymous Coward

      Re: "In the wrong hands" they say

      @Dan 555

      All that seems to happen is the crooks wait for about a year or so before doing anything with the knocked off data.

      As for Experian? Well, I suppose they should be familiar with dealing with the fallout from a break-in. They have history with that situation...

  2. Anonymous Coward
    Anonymous Coward

    Third Party

    As a person that has been dropped from several contracts over the years in favour of dirt cheap overseas outsourcing, and then hired back when they fuck up, I'd be very curious to know where this "third party" dev is located.

    UK Business Leaders...yes, local talent is significantly more expensive than overseas talent...but that doesn't make hiring local talent bad value for money...on the contrary. Value for money comes from what you get for the money, not how much money you can save by getting what you perceive to be the "same service".

    1. sitta_europea Silver badge

      Re: Third Party

      "Value for money comes from what you get for the money, not how much money you can save by getting what you perceive to be the "same service".

      Going back 40 years I had a product manufactured by a company in Milton Keyes. The buyer there - to protect the innocent let's call him Duncan Hunter - decided that he could replace an integrated circuit with one that was about 5p cheaper than the one that was specified in the parts list. He never told anybody what he'd done. It wasn't helped by the fact that a guy in the testing department - to further protect the innocent let's call him Roger Kirby - decided to ignore not only the fact that the part wasn't the one that was specified but also the test specifications, which would have made it obvious that it wasn't going to work reliably if they'd actually been followed as per the contract. Long story short, a couple of people had to spend a fortune flying four thousand miles and staying for a month in a hotel so they could rectify 1600 of the friggin' things in the basement at the customer's Chicago headquarters.

    2. Anonymous Coward
      Flame

      Re: Third Party - WHO?

      I am sick of "third parties" being anonymous in these reports. They should be exposed to the light of day.

  3. tiggity Silver badge

    "risk is low"

    I would have thought risk is quite high.

    Data stolen included identity documents (so potentially scans of driving licence or passport), bank statements (acc no, sort code, account name, some transactions for those bank security questions you often get asked e.g. describe your regular direct debits), NI number.

    All of those are very useful in identity fraud. Next level usefulness compared to just address etc.

    1. Cederic Silver badge

      Re: "risk is low"

      Very useful? It's good enough to not just commit ID fraud but also take over existing accounts.

      This is as serious as personal data breaches get.

  4. H in The Hague

    Why not store some data offline?

    Quote from the article: "identity documents, proof of address documents (including any bank or building society statement provided)"

    Why is that data even kept online? You would expect they only need that once, when they start working with somebody. Keeping it offline, possibly as hard copy in a filing cabinet would make it much easier to protect the data. Would cost a little more in storage and clerical expenses, but would make data protection compliance easier and cheaper, and would probably reduce ICO fines and legal hassle from folk whose PPI has been leaked.

    Or does even thinking of that make me an old fossil?

    1. BearishTendencies

      Re: Why not store some data offline?

      Of course it does! It needs to be tokenised and stored as an NFT on a private blockchain. That's the future.

  5. Anonymous Coward
    Anonymous Coward

    I'd been wondering…

    > Bad actors have used their nefarious skills in the recruitment sector on numerous occasions in the past year, including a digital break-in at Optionis and Giant Pay.

    …what Bruce Willis was getting up to these days.

    1. Stoneshop
      Trollface

      Re: I'd been wondering…

      …what Bruce Willis was getting up to these days.

      Well, he's suffering from aphasia, so while he may still be considering getting up to something, he's going to have a hard time expressing his plan to a co-conspirator.

      Now, Ben Affleck and Keany Reeves ...

      1. Anonymous Coward
        Anonymous Coward

        Re: I'd been wondering…

        Keanu Reeves?

        Quarterback punk...!

  6. Anonymous Coward
    Anonymous Coward

    Theoretical

    > There is, it admitted, "a theoretical risk that in the wrong hands, some of the information could potentially be used to attempt to commit identity theft or fraud.

    What else are you going to steal the data for? As a hobby?

  7. sitta_europea Silver badge

    "...we recommend that you exercise increased vigilance in all matters relating to your personal details."

    As opposed to the way we carried on, until it hit the fan. And very probably will ever after.

  8. VoiceOfTruth Silver badge

    Computer + network = insecurity

    The supposed experts like SolarWinds cannot even protect their own stuff. It's akin to the burglar alarm company being burgled, or the fire station burning down. Anti-virus/malware is just a catch up game (don't mention so-called "heuristics", they have to be updated too, i.e. catch up with what is actually happening).

    Most end users do not know about computer security. That "most" is probably about 90%+ of users. That's fine - I'm not a dentist and don't know the ins and outs of teeth, I only know if I have a toothache I have to go to the dentist. A lot of users think "I have anti virus, I am protected" or even worse is the conceited "I'm using Linux so I don't have to worry so much". Even large organisations with full time IT staff don't always keep their guard up, or they misconfigure something, or some code has a security bug in it.

    All of this added up means a computer + network = insecurity.

    Back in the day, files like this would have been kept on paper, and Bob the Burglar would have to break in or have somebody on the inside to get these files. Not now.

    How many times do we keep needing to read about computers + a security compromise? It's not going to stop. It's not just a matter of updating your OS + apps + AV + firewalls. Computer + network should be considered insecure (now or eventually).

    1. Stoneshop
      Facepalm

      Re: Computer + network = insecurity

      or some code has a security bug in it.

      "How many applications do we run that are susceptible to log4j?"

      "Don't ask me[0], ask the developers at the various software suppliers."

      [0] I'm supposed to install the applications and keep an eye on their performance, not even installing and configuring WebLogic itself. And networking are the ones in charge of the firewalls.

  9. bpfh

    So less Morgan…

    … and more Berkshire?

  10. Doctor Syntax Silver badge

    From what they said it seems like it might not have been an unauthorised third party, just an authorised one being naughty. Has the third party develop sufficient public liability insurance? And have Morgan Hunt informed the IOC?

  11. Stoneshop
    Facepalm

    British recruitment agency Morgan Hunt

    Don't they look for people with other first or last names? Or driving a particular brand of car? Seems like needlessly limiting your search pool.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like