A few weeks ago, a subsidiary of a major Belgian bank was hit by a blackmail attack. Attackers requested a big amount of money or they threatened to reveal sensitive stolen data. I don’t know how ended this story, did the bank pay? Did the attackers really steal a big amount of data or they were just bluffing? Targets of such attacks always try to limit the impact by avoiding communications. This is in fact a bad behavior and, hopefully, things will change when the breach notification laws will be in place in European countries.
Same story today! >We learned via the Belgian press (article in Dutch) that another attack was conducted against an interim company. More information has been posted by another Belgian blogger. By reading his post, it looks that security was very poor (as usual I would like to say!). They leaked 10K records with name of job seekers, address, email, national number and social security card number. As a proof, they released some records here.
You can be tempted to have a reaction like “That’s weird but it’s just another leaked database!” But, the stolen data contained also comments made by the company employees about the job applicants. Examples? (based on the sample data release) “Nothing to catch. Always looks drunk. Unstable person.” or “Something wrong with it. Huge sweating and coughing. Drugs?“. If the complete database will be released in the Internet, this could have huge impacts for multiple parties:
- Are employees authorized to write down comments like this?
- The same comments written by the employees could lead to discrimination. (Example: comments based on bodies or physical aspect of the people)
- Customer of the interim agency could be impacted too. Bad publicity! (Example: If they don’t want workers from a specific religion or skin color!)
- The psychological impact on some job seekers. How some could react if they read the comments left about them? Some might be psychologically weak and have difficulties to sustain their position as unemployed.
As you can see, problems are not only on the technical side. In my opinion this is the perfect example to remember that all your data are valuable. Often, most critical data are found in military, financial or medial environments but, if you collect data about people (customers, partners, …), you must implement security measures to protect them in the right way!