Millions of job seekers could be at risk after private information was leaked online by a recruitment agency
- More than 200,000 details of job seekers remained in a database
- The data contains sensitive PII that can be used in scams and fraud
- It is unknown how long the database remained visible and who had access to it
More than two million records from Alltech Consulting Services were discovered by cybersecurity researcher Jeremiah Fowler in a non-password protected database.
The disclosed data includes the personally identifiable information of more than 216,000 job seekers, including names, phone numbers, email addresses, the last four digits of their SSN, passport numbers, and visa status for work permits.
Alltech Consulting Services works with more than 1,000 organizations to find employees in the IT and engineering sector.
Countless data exposed
The database has since been removed from public view, but the database also contained employer data such as names, company names, email addresses and telephone numbers, along with applicant data including salary expectations, employment history and whether they were willing to relocate. for the job.
Given the general salary weighting for senior IT and engineering positions, many of those who had their data leaked from the database would be a prime target for cybercriminals looking to extort victims in spear-phishing campaigns or commit fraud and identity theft using their data .
The details in the database could also be used to target individuals with fake job offers, with Fowler pointing out that $737 million was lost to fake job offers between 2019 and 2023, with the fake job scams expected to continue between 2022 and 2022 has increased by no less than 110%. 2023.
“Although the data showed that the files were owned by Alltech, it is not known whether they controlled the unencrypted database or whether it was controlled by a third party,” Fowler also said in his to write.
“It is also unknown how long the data has been made public and whether anyone else has had access to it, as only an internal forensic audit can identify that information.”
The FBI recently issued an alert about a series of job postings scamming victims out of cryptocurrency, and web developers have been targeted by North Korean hackers with malware hidden in Python packages.