Millions of job seekers could be at risk after private information was leaked online by a recruitment agency
- More than 200,000 details of job seekers remained in a database
- The data contains sensitive PII that can be used in scams and fraud
- It is not known how long the database remained visible and who had access to it
More than two million records from Alltech Consulting Services were discovered by cybersecurity researcher Jeremiah Fowler in a non-password protected database.
The disclosed data includes the personally identifiable information of more than 216,000 job seekers, including names, phone numbers, email addresses, the last four digits of their SSN, passport numbers, and visa status for work permits.
Alltech Consulting Services works with more than 1,000 organizations to find employees in the IT and engineering sector.
Countless data exposed
The database has since been removed from the public, but employer information was also included in the database, such as names, company names, email addresses and telephone numbers, along with applicant data including salary expectations, employment history and whether they were willing to relocate. for the job.
Given the general salary weighting for senior IT and engineering roles, many of those who have had their data leaked from the database would be a prime target for cybercriminals looking to extort victims in spear-phishing campaigns or commit fraud and identity theft using their facts.
The data in the database could also be used to target individuals with fake job vacancies, with Fowler pointing out that $737 million was lost to fake job vacancies between 2019 and 2023, with fake job scams increasing by as much as 2022 to 2022 110% increased. 2023.
“Although the data showed that the files were owned by Alltech, it is unknown whether they controlled the unencrypted database or whether it was controlled by a third party,” Fowler also stated in his to write.
“It is also unknown how long the data has been made public and whether anyone else has had access to it, as only an internal forensic audit can identify that information.”
The FBI recently issued an alert about a series of job postings scamming victims out of cryptocurrency, and web developers have been targeted by North Korean hackers with malware hidden in Python packages.
