Security Failure Hits IT Headhunting Firm

Security Failure Hits IT Headhunting FirmFor IT professionals looking for work on Wall St. the latest personal-data security breach hits close to home. A hacker released what are alleged to be thousands of resumes and other hiring-related correspondence obtained from ITWallStreet.com, an employment website.

For firms it should be one more stark reminder that the reputations of both companies and their customers or clients can be at risk from data security failures.

The hacker, using the name "Masakaki," is a member of the hactivist group TeamGhostShell, and claimed to be acting in support of the Occupy Wall Street movement. Andiamo Partners, the recruiting firm that operates ITWallStreet.com, has not yet confirmed or denied the hactivist attack. No details of how the exploit was carried out have yet been reported.

The materials that Masakaki put on line, however, are filled with personal details about IT professionals seeking positions at financial-industry firms. A total of 50,000 accounts were compromised, including detailed resumes from 3000 prospective employees.

These were not LinkedIn resumes intended for public viewing. They were confidential personal communications, filled with details ranging from Social Security numbers to salary expectations.

Also included in the compromised data were communications between recruiters and prospective employers, discussing the qualifications of specific candidates applying for specific jobs. Salaries discussed in the correspondence ranged up to $400,000, and some of the emails specifically mentioned vice-president positions at financial firms.

While we cannot yet say how this security breach was carried out, or how sophisticated it was, one thing not in doubt is Andiamo Partners' responsibility for the sensitive personal data entrusted to its website by both job seekers and prospective employers. 

Again, the specifics of this security breach remain unknown. But the great majority of hacking attacks target firms that failed to cover the security basics, and left holes in their confidential data protections that should have been closed.

Don't let your company be the next one that hackers successfully target.

The security principles set forth in industry standard ISO/IEC 27002 provide a framework for effective security, built around the cycle of Plan, Do, Check, and Act (PDCA). Many good security products are on the market, but all are designed to meet specific threats – and will not block other threats. At GRT Corp. our security philosophy is built around these words by noted security expert Dr. Bruce Schneier: "Security is not a product, but a process."