Jobs.ie Security Breached.

Miss Fluff

Crikey, just logged on to www.myjob.ie, looks dodgy as hell. Anyone familiar with it?

bronte

They sent me links to jobs not even suitable for me (not that I'm looking)
I'm after emailing and asking to be taken off the database, and where they got my email address

AlexBM

Yeah, myjob.ie looks dodgy. At first, I thought it was okay, but you have to fill in way too much personal info before you can look at any jobs. I filled in the first few pages, but didn't submit my info.

dazberry

It is just a front for Bond Personnel. It says so on the contact us page.

MyJob.ie · Kreston House, Arran Court, Arran Quay, Dublin 7
Tel: +353 1 8280900 · Fax: +353 1 8280901

MyJob.ie is a registered business name of Bond Personnel Group Limited
Registered in Ireland, companies registration no. 274779

D.

ollielaroo

my cv was taken too apparently... see email below



Hi .....,

I can absolutely understand that anxiety that this has caused for you.
We are currently working with the Gardai, The Data Protection Commissioners and carrying out our own internal investigation and will let you know any significant news that we have on the matter.
In the meantime I urge caution if contacted by a third party seeking information and if you receive suspicious emails - perhaps you could forward them on to me as attachments.

Kind Regards,
Huw Taylor
General Manager



From: me
Sent: 05 April 2008 22:17
To: Danielle Dunphy
Subject: RE: Important Jobs.ie Customer Information

Hi Huw,

Thank you for informing me of this unfortunate incident. As you can imagine like anybody I would be very angry if someone were to use the personal details from my CV to attempt identity-theft or any other malice act.
I hope you can appreciate that this could cause unnecessary anxiety to someone in my position who is searching for a job as my CV has also been uploaded to many other recruitment websites.
I would be very grateful if you or your team could keep me updated as necessary on any new developments that arise regarding this issue.

Many thanks,
me





From: info@jobs.ie
To: ........
Date: Fri, 28 Mar 2008 17:54:40 +0000
Subject: Important Jobs.ie Customer Information

Dear .....
I am writing to bring your attention to a security breach on Jobs.ie which occurred yesterday evening. Although this breach was identified and stopped quickly, a small number of CVs were illegally downloaded. Unfortunately your CV was one of the records taken. I understand and apologise for the concern this will cause you and I want to assure you that we are taking steps to prevent this happening again. In the meantime I urge you to exercise extra caution while conducting online activity.
To help you avoid risk, please follow these key online safety tips:

* Reputable companies do not request personal details by email, if a company contacts you do not give any personal information until you have established they are legitimate
* Never give out personal banking information
* Do not share your passwords with anyone
* Do not open email attachments if you are suspicious, especially .exe files.

A dedicated 24 hour customer helpline has been set up to deal with any further questions or concerns you may have. Please call +353 (0)1 680 8699 or email info@jobs.ie
Again, please accept our apologies for any inconvenience or distress caused.

Yours sincerely,
Huw Taylor

Baunie

I read in the news that they accessed the server and got hold of cvs and passwords. I deleted my cv from the website well before the hack and it was still downloaded because they had kept it on the server! I am getting enormous amounts of spam to my email address but other than that the effects are yet to be seen. I have changed all passwords and bank account details to avoid trouble.

dojo200

Hi to all my fellow victims, I too was informed that my cv had been downloaded and the attitude was so flippant that I contacted all the releveant people, guards, data protection, banks, previous employers. I have just received a letter from the out come of the data protection investigation and they did find that Jobs.ie were in breach of security and as a gesture that Jobs.ie have offered €15,000 to the relief fund in China. Now the way I see it, yes they are taking on board that they were wrong not to have security in place of these cv's but if as the previous note claims that there were up to 60,000 people affected so that works out at about 25c per cv stolen. I personally am not accepting this even if only 15,000 cv's were stolen that would only be €1 per cv. I am going to get legal advice on this, has anybody else?

Thirdfox

are you serious about this?

dojo200

Of course I am, have appointment tomorrow to seek advice on this. I have already had a call from a foreign girl asking for me to do a survey. I was quick to ask her where she got my number she tried to give me some bull story about a number picked from a database, I asked again where she got my number as it was ex-directory and she hung up. I am always aware of these things happening but I have to be on extra gaurd now. Jobs.ie see themselves the victims and not us. I had to argue with their so called 24 hour helpdesk about this as he kept telling me that they were the victims not me. I am sick of waiting for them to put their hand up and openly appoligise. After all they wont even come out and say how many people have been affected. Its not that I am looking for a way to make them pay I just want the justice done and their meegar offer is not enough as far as I am concerned.

Thirdfox

Could I have a look at the communications the data protection office sent you as regards their investigation?

While I am not a lawyer, I am a law student (who had my CV taken too). I would interested in what had been said.

AARRRGH

I would have some sympathy for them as anyone determined enough can break into any system; it doesn't matter whether they use hacking (technical) or social engineering, it can be done.

I think Jobs.ie have tried to do the right thing - let people know there was a screw up. They could have said nothing and they probably would have gotten away with it.

Saying all that... Saongroup (owners of Jobs.ie/Irishjobs.ie/etc.) are a massive company, so €15,000 is a fairly small gesture, but of course they didn't have to donate anything.

board om

dojo200 wrote: »

Of course I am, have appointment tomorrow to seek advice on this. I have already had a call from a foreign girl asking for me to do a survey. I was quick to ask her where she got my number she tried to give me some bull story about a number picked from a database, I asked again where she got my number as it was ex-directory and she hung up. I am always aware of these things happening but I have to be on extra gaurd now. Jobs.ie see themselves the victims and not us. I had to argue with their so called 24 hour helpdesk about this as he kept telling me that they were the victims not me. I am sick of waiting for them to put their hand up and openly appoligise. After all they wont even come out and say how many people have been affected. Its not that I am looking for a way to make them pay I just want the justice done and their meegar offer is not enough as far as I am concerned.

they apologized ages ago in emails sent out to the people affected. and they have also already said how many people were affected. my CV wasnt on Jobs.ie but i get calls on my mobile and on my home phone for surveys all the time. obviously i hang up. you dont have to be on any mailing list or have your CV stolen for this to happen, they use randon generated numbers nowadays so they dont need your details. the information on your CV is of no use to anyone except you. they cant do any identify theft or raid your bank account. its pointless.

what are you hoping to achieve by taking legal action? you ware going to be paying out of your own pocket for legal representation, and you are not going to get anything back out of it. you arent going to get compensation. they arent going to be fined any more money. its over with and forgotten about. these things happen so get on with your life.

dojo200

Its easy to say just forget about it, but they were in the wrong and even after nearly 2 months of asking them to delete my cv I had to go to the data protection again for them to do it. I dont think that for such a large company as they are they should just forget about this by donating a small amount to the relief fund, they should be donating a certain amount per cv that was stolen. Maybe then they will understand that we are all victims, If I choose to pay a solictor for advice well that's my money after all I have been spending money on phone calls since this happened.

To Thirdfox here is part of the letter I received it is also posted on the Data Protection website.

The Data Protection Commissioner has today, 22 May 2008 concluded his investigation in relation to the illegal access and download of CVs by persons unknown on the website of the online recruitment company - Jobs.ie. Since this issue was brought to its attention on 31st March last, the Office of the Data Protection Commissioner has been engaged in a detailed investigation of all the circumstances giving rise to the incident in question. Throughout the process Jobs.ie co-operated completely with the conduct of this investigation and has supplied all relevant information and records sought to this Office. This expedited the investigation.
This investigation only dealt with the considerations arising from the requirements of the Data Protection Acts 1988 & 2003 as they apply to Jobs.ie and did not address any issues which are within the jurisdiction of An Garda Síochána regarding any criminal investigations it may be conducting in relation to those persons who carried out the illegal access.
The Investigation has concluded that Jobs.ie did not meet the requirements of Section 2(1)(d) of the Data Protection Acts as elaborated upon in Section 2C of the Acts by not having in place a level of security on part of its system appropriate to the harm that could have resulted from the unauthorised and unlawful access to and downloading of the personal data in its possession. This was accepted by Jobs.ie
The investigation also concluded, in relation to a proportion of the complaints received, that Jobs.ie did not meet the requirements of Section 2(1)(c)(iv) of the Data Protection Acts by continuing to hold personal data for longer than was necessary for the purpose for which it was given.
The Office of the Data Protection Commissioner feels that it is important to make clear that Jobs.ie has responded to the illegal access to the personal data that took place in an exemplary fashion. There is no doubting that it now takes its data protection responsibilities very seriously. It moved to put in place additional security measures immediately to minimise the potential for any repetition of the incident and has taken on board all of this Office’s recommendations.
In addition, Jobs.ie behaved in an appropriate manner following the illegal access and is to be commended for its actions, on its own initiative, in making immediate contact with all persons affected by the illegal access that took place.

Thirdfox

Hmm, looking at that it would seem that jobs.ie has acted quite prudently after the incident (at least in a legal sense). If people are unhappy about what has happened in terms of personal dissatisfaction getting legal action may be an option (for a breach of privacy perhaps?) But I personally do not think there is much chance of getting court enforced orders that will hurt the company. A far better option for those dissatisfied may be to vote with their feet and just leave the site. A much cheaper option too.

Having said that I am not a lawyer, you should not take what I say as legal advice (see my signature below). In my personal case I'm still with jobs.ie (I have taken my CV off it though) and still get a few job offers sent to me (that I've requested for). The legal avenue may not be the most suitable in many cases - just something to consider.

If it does go to court, I'm not sure about compensation and court orders for action but you should be able to get your legal cost back at least (again, not advice/guarantee but just an observation).

Gone West

gidget wrote: »

Can I ask, did this only happen to people who were registered to jobs.ie or what? I applied for a job through this site but was not registered? Haven't recieved any e-mails yet ( fingers crossed i hope i still don't), but i did e-mail my cv to the agency a month ago through this site.

Well I only applied for jobs (and ages before this whole thing happened) and they got my cv.
So looks like jobs.ie was sneakily holding onto every cv that passed through their system.
And they weren't archiving them, as they obviously had some sort of web-access protocol set up to access them online, which was hacked.

dojo200 wrote: »

that Jobs.ie did not meet the requirements of Section 2(1)(c)(iv) of the Data Protection Acts by continuing to hold personal data for longer than was necessary for the purpose for which it was given.

Like I can forgive the security thing. The obviously didn't WANT to be hacked, but as for this... Well this was just flaunting the law, by deliberately holding onto our cvs that we "sent" to the companies.

Obviously they had notions of starting a recruitment company in the future or selling them on to recruitment companies!

dojo200

Thanks for the advice, I will still attend my appointment and let you know how I get on.

Thirdfox

No problems, just remember, I'm not giving advice!

A professional lawyer may have an entirely different opinion based on his(her) expertise on the particular area of law.

agibbons

dojo200 wrote: »

Of course I am, have appointment tomorrow to seek advice on this. I have already had a call from a foreign girl asking for me to do a survey. I was quick to ask her where she got my number she tried to give me some bull story about a number picked from a database, I asked again where she got my number as it was ex-directory and she hung up. I am always aware of these things happening but I have to be on extra gaurd now. Jobs.ie see themselves the victims and not us. I had to argue with their so called 24 hour helpdesk about this as he kept telling me that they were the victims not me. I am sick of waiting for them to put their hand up and openly appoligise. After all they wont even come out and say how many people have been affected. Its not that I am looking for a way to make them pay I just want the justice done and their meegar offer is not enough as far as I am concerned.

Hi, how did you get on re: the legal advice.

lostexpectation

http://www.dataprotection.ie/viewdoc.asp?DocID=741&m=f

is that it