Jobs.ie Security Breached.

AARRRGH

Yeah, I reckon you could be right. It would be fairly hard to catch someone in the middle of a hack, so more likely they noticed something dodgy in their log files after the event happened.

Little-Devil

Galen wrote: »

Report it to the guards, that's what I did this morning after I the same email.

What did the guards say? I checked the papers this morning and nothing was mentioned, i would say monday there might be something.

AARRRGH

Little-Devil wrote: »

What did the guards say? I checked the papers this morning and nothing was mentioned, i would say monday there might be something.

Yeah. I would imagine Jobs.ie are working on or already have a press statement.

Galen

Not a lot, just that they're going to investigate Jobs.ie and take a statement from me in a couple of days.

Little-Devil

dublindude wrote: »

Well, there's only a couple of scenarios -

1. A hacker got root access to the server. He either downloaded every CV or was in the process of doing so before he got cut off.
2. A hacker gained access to a number of employer accounts. He could then download the CVs from those employer accounts.
3. A hacker gained access to a Jobs.ie admin account. I'm guessing he could access employer accounts or perhaps the CV database that way.

My money is on #1.

Dublindude you are correct,
I called last night as i was curious how they could be so stupid and knew it was more then a few that was downloaded.

I was told that someone ( hacker i think) got access to a staff memebers log on details and that is how they downloaded the information ( through a server me thinks ). I was told that there was an investigation under way and i would get futhrer updates.

Little-Devil

Galen wrote: »

Not a lot, just that they're going to investigate Jobs.ie and take a statement from me in a couple of days.

Do you think everyone should report this to the guards?

AARRRGH

That's interesting Little-Devil, thanks.

In fairness to Jobs.ie, that could probably happen to any website. I wonder how the hacker got the staff member's login details though. I bet you most people would probably fall for a telephone call from IT (or rather, a hacker pretending to be IT) asking for their username and password...

Little-Devil wrote:

Do you think everyone should report this to the guards?

Nah, I reckon they know the details already.

Little-Devil

dublindude wrote: »

I wonder how the hacker got the staff member's login details though.

This what i thought straight away and also why would some hacker if it was go to the trouble of downloading CV's? I can't think how important the information would be, but i supose it depends on the they use this information that would worry me most.

AARRRGH

Monster.ie make most of their money from their CV database.

For example, I know a one-man recruitment agency who is charged 7k per year to browse their database.

So I guess there is money in CVs...

board om

it could well be an ex employee. if you think about it they had access to a 'staff members logins'. the CV's would be most use to an ex employee leaving to start up on their own or going to the competition.

board om

dublindude wrote: »

I dunno. To send an e-mail to every jobseeker like this is a bit OTT if it's just an ex-employee being a dick.

Monster.ie did get breached, but it was due to phishing rather than a technical hack.

if all the canddiates email were stored together it would probably be as easy to send it to everyone. plus if they found out later that more CV's had been taken than they thought originally then they wold have to send out a second mail. i would say they would rather get it all done in one go and then have everyone forget about it in a month or so, than send half the people emails and then the other half in a few days. it would drag it out longer and make people more nervous. jobs.ie would want it forgotten about as quick as possible.

with regards Monster, when you say they were phishing, does that mean they sent around the fake emails to people like they do with the bank or how would it work?

AARRRGH

Yeah, as far as I remember, the hackers targeted certain companies who advertise on Monster with a fake "please update your login details" e-mail.

A lot of companies include the HR person's contact name on their job adverts, so the phishing e-mails could be very targeted.

MementoMori

I wonder what exactly www.jobs.ie data/privacy policy is.

I'm sure the data/privacy ombudsman will have something to say about this especially if people who applied for jobs a long time ago were kept on file

I wonder if there is any chance they might have to pay compensation or at least make a good-faith no fault payment gesture.

board om

dublindude wrote: »

Yeah, as far as I remember, the hackers targeted certain companies who advertise on Monster with a fake "please update your login details" e-mail.

A lot of companies include the HR person's contact name on their job adverts, so the phishing e-mails could be very targeted.

well i know my advertisments have my direct phone line and email. i would never use my company email for anything personal yet i constantly get junk emails and 'a relative of yours died and left you €500,000,000' or 'you have won the venezuela lottery'. so they must be coming from these advertisments. i wondered about that. i also get strange phone calls in work now and then trying to sell stuff and they have all my details so i presume they get the details from there as well.

as regards the payment for CV search with monster, €7k for the year would be cheap. i know it can cost us €30k plus for us to advertise and search CV database. and irishjobs is about €15k upwards. its ridiculous money.

AARRRGH

From http://www.jobs.ie/Privacy.html -

While Jobs.ie makes every effort to protect all personal information, we recognise that unfortunately no data transmission over the Internet can be guaranteed to be 100% secure. As a result Jobs.ie cannot ensure or warrant the security of any information you transmit to us, you do so at your own risk.

It sounds like they've only covered there ass where it comes to data during transmission, not data they save on their server.

Here's the full privacy policy -

Jobs.ie has created this Privacy Policy to demonstrate our firm commitment to privacy. The following outlines this commitment to users as we want to be able to provide everyone with a user experience that is safe and secure. Jobs.ie wants to ensure, to our best efforts, that any information you give us remains private and are used only for the purposes outlined in this Policy.

By using the Jobs.ie website, it is understood that you agree with the terms of this Privacy Policy.

A user can access our website, Jobs.ie (the 'site') and utilise many of our services without providing any information to us at all. Nor do we follow a user's browsing path outside of our site. We do develop summary - not individual - reports for our recruiters and advertisers.

This Privacy Policy applies to the Jobs.ie owned website and domain.
The Jobs.ie website may provide links to third-party websites for your convenience. If you access these links, you will leave the Jobs.ie website. Jobs.ie does not control these sites or their privacy practices. Any exchange of information with unrelated third parties is not covered by this Privacy Policy. We encourage all users to review the Privacy Policy/statement of any third party before submitting personal information.


Site Security
Jobs.ie is committed to protecting the information you provide us with. To prevent unauthorised access or disclosure of information under our control , Jobs.ie has appropriate security management systems in place to safeguard the information we collect.

Firewalls, Intrusion Detection and Virus Scanners are used on all parts of the Jobs.ie website. Encryption during transmission is also used on sections of the site where security is particularly important.

While Jobs.ie makes every effort to protect all personal information, we recognise that unfortunately no data transmission over the Internet can be guaranteed to be 100% secure. As a result Jobs.ie cannot ensure or warrant the security of any information you transmit to us, you do so at your own risk.

Personal Information
There are areas of the Jobs.ie website where you can request information, subscribe to marketing materials, enter competitions, register yourself for our online services, request customer support or apply for a job within our organisation. This can involve registering your personal information such as; your name, e-mail address, password, contact details, educational and employment background, and job interest information. The information collected is solely for the purpose of personalising your user experience and for delivering the service(s) that you have signed up for. Once you choose to provide Jobs.ie with personal information, you can be certain that it will only be used to support your relationship with us.

Application Information
Jobs.ie operates as a platform for jobseekers and recruiters with the tools to enable you to choose the companies and recruitment agencies you would like to speak to when you wish to do so.

When you make an online application on Jobs.ie your personal information / CV application is received by Jobs.ie and stored in our system for companies to access. Only companies who you apply to are able to have access to your details. By forwarding your information to that recruiter for the vacancy advertised Jobs.ie understands that it is your decision to disclose this information to a third party and acknowledge that the third party is not covered by the Jobs.ie Privacy Policy.


Client Profiles
Jobs.ie vacancy advertising clients are given the option to have a profile page on site. This includes information related to their company such as; company logo, contact details, company profile, web address and related links. This information is disclosed for your convenience and information, however if you access some of the links and web addresses disclosed on these pages, you will leave the Jobs.ie website.

Some Jobs.ie clients are advertised on site under featured employer member pages; which means Jobs.ie host a number of their web pages on our server to provide users with an experience similar to the recruiters own website.

Jobs by Email
The Jobs by eMail Alert service matches a jobseeker's requirements for employment with the profile of vacancies advertised on our site. For jobseekers who subscribe to this service, you receive an email listing of those jobs which match the criteria you have registered. You can unsubscribe from this service at any time.

CVs
Jobseekers may decide to register their CV in our database. Users can choose to make their CV searchable for inclusion in our CV database product. This product allows your CV to be viewed by recruiters who have subscribed to this service. It also means that you can attach your CV to your online job application(s).

We endeavor to grant access to the CV database only to recruiters who agree to abide by our Terms and Conditions. However, should a third party gain access to your CV by evading our security measures, we cannot be held responsible.

You may remove your CV from our database at any time. However, recruiters who have already accessed your CV may have kept a copy of it in their own files. Please note that we cannot be held responsible for the retention, use, or privacy of your CV in these instances.


You may review, correct, update or change your MyJobsie account profile information or CV at any time. Simply log into your Jobs.ie account, go to your Account Profile or CV, review your account information or CV and, if you wish, edit it with the options provided. You may also delete your CV through this method.
If you wish to delete your MyJobsie account profile information at any time, please contact us at jobseekers@jobs.ie. An email will be sent to you to confirm that your information has been deleted (save for an archival copy which is not accessible by you or third parties on the Internet). The archival copy is retained indefinitely for audit and record purposes.
If you wish to revoke your consent to our Privacy Statement, please contact us at at jobseekers@jobs.ie. However, please note that if you do withdraw your consent, you may not be able to use the relevant services and your MyJobsie account profile information will be deleted.

Marketing
To provide the best user experience Jobs.ie may invite you to provide us with information regarding your personal or professional interests and experiences with our products or services. Providing this additional information is optional.


Copyright Statement
Copyright is implied irrespective of whether a copyright symbol or a copyright statement is displayed. Content on the Jobs.ie website can be downloaded for personal non-commercial use . Where use of other materials is desired the source must first approve and also be acknowledged. Permission to reproduce the Jobs.ie copyright does not extend to any material on this site which may be the property of a third party. Authorisation to reproduce such material must be obtained from the copyright holders concerned.


Changes to our Privacy Policy
Jobs.ie reserves the right to change or remove this Privacy Policy at its discretion and will post any new Privacy Policy here. Therefore we would encourage you to visit this area frequently to stay informed.


Contact Information
Jobs.ie welcomes any comments regarding this Privacy Policy. If you have reason to believe that Jobs.ie has not adhered to this Privacy Policy, please contact us via email or write to us at the address provided below; and we will make all reasonable efforts to promptly determine and remedy the problem.

The Jobs.ie Customer Services Team

Jobs.ie Ltd
Unit 1a, Watersedge
Charlotte Quay
Dublin 4
Ireland

foxyscot08

As someone who has worked in the Recruitment Industry for the last 7 years I am horrified to also find my CV has been hacked into on Thursday evening. This has happened in Ireland before as someone already said to monster last year.
I too have never uploaded my Cv to jobs.ie as I deliberately avoid unwanted cold calling from agencys etc... In the past I used this site to apply directly to an advertised job with an outside employer so I am more concerned as to how my actual details were taken.

With monster the CV databse is indeed there for the sole purpose to publicly post your cv to generate interest and last year when the same thing happened to them it was directed to the cv database so today I am far more worried that my cv was NOT on a database and yet still some hacker has all my personal information and yes including my PPS number , middle name, date of birth and address.

For info this was reported in the press today in the Independant - they have said that the attack came from "abroad". The report also says that the authorities will not be notified until Monday.By the looks of things this is not a "small" number of people affected as last night at 9pm i too rang the helpline and was not told anything helpful at all. i also requested more information and for someone to give me better answers.

I since have also reported this to the guards who will take this seriously - they also have a fraud section you can contact and you can also complain to the data protection commissioner on monday.

re the use of cvs - anyone who applies for a job via the web is always taking a risk and is relying that the company receiving your details and cv have a secure data protection system in place. From the sound of this attack I doubt this is disgruntled ex employee or someone using cvs for business development or to pass onto agencys as most will have monster cv database anyway and can look at public cvs any time they want making the cv side pretty worthless.

Finally i am more annoyed as someone else has said that this happened on Thursday and yet jobs.ie deliberately stalled warning us until after close of business friday night where we could not report it to certain areas of press.

Not the best weekend I have spent as I have been advised to notify my bank that this has happened and any relevant areas just to be safe so my advise is that you do the same!

AARRRGH

foxyscot08 wrote: »

In the past I used this site to apply directly to an advertised job with an outside employer so I am more concerned as to how my actual details were taken.

When you apply for a job on Jobs.ie, your CV is stored online in the employers account, i.e. on the Jobs.ie server.

This would be fairly normal for a jobsite. The idea is to archive all the job applications online.

I said this in a previous post: a determined hacker can hack any website. What happened to Jobs.ie could happen to any website.

bobzi

I got one of those emails aswell.

It says in their privacy agreement 'You may remove your CV from our database at any time.' but I never uploaded my CV in the first place so how could I remove it? I only ever attached it to a job application and that was nearly three years ago.

Im well p*ssed off about them keeping my CV on the sly

foxyscot08

That is true however from the report I have it is the old archives that have been attacked and many people have not used this site in the last 18 months have been affected. Most of the other web boards refresh there database as a matter of course for example monster claim they will remove your details from the CV databse if you do not actively go online to your monster account after a certain amount of time

I am just angry that this could have happened and to so many people.

Exit

I used the site in the summer for the first time (as far as I can recall) so it may not just be old archives.

So, if the hacker wasn't somebody setting up shop on their own and is more likely to be criminal, what use is a CV to them? Genuine question. What could they use this information for?

foxyscot08

Exit wrote: »

I used the site in the summer for the first time (as far as I can recall) so it may not just be old archives.

So, if the hacker wasn't somebody setting up shop on their own and is more likely to be criminal, what use is a CV to them? Genuine question. What could they use this information for?

well the worst thing is that although most people are advised never to use password that are familiar or unsecure the reality is that especially online passwords we use maiden names , middle names etc..

Anyone with a CV will have a date of birth - used a numeric passcodes or pins
They can also use your email address and hack into your email again using passowrds like your name , surname, your favourite thing
If your PRSI nuber is on it you can ring the revenue with your prsi number and they will give you info after you confirm your date of birth and full address and mobile - all of which probably on the CV

However this is worst case scenario - the liklihood is that we may get calls to our mobiles.

In the UK identity theft is prevalent to the point that people have your address and rake the bins and use the kind of information on your cv to upload a credit card application - particularly online

AARRRGH

foxyscot08 wrote: »

well the worst thing is that although most people are advised never to use password that are familiar or unsecure the reality is that especially online passwords we use maiden names , middle names etc..

Hackers frequent boards.ie too. I try to warn people every time they post a thread here, but people seem determined to give strangers whatever information they ask for.

For example, "What's your porn name?" threads. You mix your mothers maiden name with your pets name. There are date of birth and middle name variations as well.

chris85

dublindude wrote: »

Hackers frequent boards.ie too. I try to warn people every time they post a thread here, but people seem determined to give strangers whatever information they ask for.

For example, "What's your porn name?" threads. You mix your mothers maiden name with your pets name. There are date of birth and middle name variations as well.

Well i wouldnt want someone knowing if i worked in a bank and had access to money from the safe as may be told as part of duties in the job. This could lead to the known "tiger" attacks that were seen last year.

leeroybrown

Just a few of quick points about this:

1) This was bound to happen to an Irish job site at some stage. In fact, I wouldn't be all that surprised if it's happened before and gone unnoticed.

2) I've seen a few people complaining about how long it took to send out the notification. In fairness to them, if they discovered a problem at some stage on Thursday evening it will take a reasonable number of hours to investigate what happened, how much data was lost, whose data was lost, etc, make decisions about what to do and then send out the confirmation. Quite frankly if they did it much faster I'd reckon that they'd have rushed.

3) This could result in an interesting number of complaints to the Data Protection Commissioner on the basis of e-mails to people who applied a long time ago yet unknowingly still had their CVs in a place of risk.

Chucky the tree

Mine was tkaen too. How do i terminate my acc with jobs.ie?

foxyscot08

leeroybrown wrote: »

Just a couple of quick points about this:


2) I've seen a few people complaining about how long it took to send out the notification. In fairness to them, if they discovered a problem at some stage on Thursday evening it will take a reasonable number of hours to investigate what happened, how much data was lost, whose data was lost, etc, make decisions about what to do and then send out the confirmation. Quite frankly if they did it much faster I'd reckon that they'd have rushed.
.................................................................................................

I know what your saying but in regards the timing you must admit it was very suspicious that the emails were sent after core 9-6 hours monday to friday to avoid any business hours disruption and also calls are being diverted to a number that is not a jobs.ie main phone number which has CSRs with a scripted answer prepared as I had plenty of specifics that couldnt be answered . Also at this point on a Friday night it was very hard to firstly get straight answers, secondly contact the Identity theft /fraud section in Guard HQ, the data protection commissioners office , also and most importantly the banks, visa card and who ever else you want to notify. It as someome mentioned will give everyone who got the email cooling off time until monday and avoid unwanted press from the like of papers, joe duffy and gerry ryan radio shows .
I would guarantee that on any other normal day there woud not be a hope of getting any email contact from them after 4.30 after friday after drinks until the following monday!

leeroybrown

I take your point foxyscot08 but I do think that they'd have been struggling to deal with it properly and issue a response much earlier.

If I were in their position I'd have put an answering service up too. 90% of questions will be the same and if the e-mail and answering service is clear enough most of the others don't need to be asked. Also, if they issued a reasonably large number of e-mails I'd expect sufficient calls that their call centre would be swamped and almost no one affected would get assistance.

Plenty of people will be reading these e-mails on Monday morning and I'm people will get a chance to ring up Gerry Ryan and Moan Duffy to get it aired.

Where they seem to have fallen down is that their e-mail / message doesn't seem to have been clear enough.

Also, I'd question the necessity of individual customers contacting the Gardaí. There is nothing the fraud bureau can do for them as individuals bar placate them. It's an unnecessary waste of Garda time. Ideally, I think that Jobs.ie should have said in their e-mail that they would be involving the Gardaí and that individual customers did not need to report the problem to them.

(EDIT - Before someone suggests it, I'll just add that I've got no association with Jobs.ie or any other recruter)

foxyscot08

hey leeroy i take your point - however when i called the guardi to ask for their opinion and advice they did say that it is a good idea to be reported and they take it seriously - although there is very little they can do

As it has been suggested that it was hacked from abroad speculation could be that it will be used for id fraud - worst case scenario someone does use your name at least its reported and you have proof against jobs.ie

Often with credit card fraud and skimming fraud for example the process to prove that it you are actually a victim can often be lengthy and the reason this type of fraud/identity fraud is on the increase is due to people being UNAWARE someone is using their details.

least jobs.ie have told everyone as these types of situations are frighteningly commonplace and often we hear nothing about them - .ie laptops being stolen with personnell files , just recenty tax records in the uk

For info this is so widespread in the uk there are identity theft insurance policies in place (direct line RBOS)and one of the major factors relating to this is reporting that you may have had your details compromised immediately to the relevant authority-

AARRRGH

Jobs.ie now have a big "Important Jobs.ie Notice" link on their index page which links to this: http://jobs.ie/Notice.html

bronte

Grr, so annoyed, feel I should report it to the Guards now, but don't want to make a fuss over nothing either.