Update 9/1/2019: First National advises that the documents have now been secured. “The network has provided assistance to the company and is monitoring its progress,” a spokesperson said.
Applicants for positions at First National Real Estate are among possibly thousands of job-seekers whose information has been inadvertently made accessible online.
UK-based privacy advocate Gareth Llewellyn revealed details of the breach, which involved an unsecured S3 bucket on AWS. Llewellyn estimated that resumes and cover letters of some 2000 applicants, many for positions at First National, are among the trove. An tool that indexes insecure buckets reveals that it contains more than 6100 items.
A spokesperson for First National said that it took the matter seriously and was investigating further. The organisation said it had been in contact with the Office of the Australian Information Commissioner (OAIC). First National’s head office doesn’t conduct HR processes for its member offices, and it appears at least one individual member office was involved, the spokesperson told Computerworld.
The breach appears to be linked to an Australian-based online psychometric assessment service designed to analyse prospective sales staff. Attempts via phone and email by Computerworld to reach the managing director of the company that provides the tool were unsuccessful.
The company claims its clients include Starr Partners Real Estate, Sophos, Professionals Real Estate Group and the Australian College of Professionals.
The latest OAIC report on the Notifiable Data Breaches scheme, covering the three months to 30 September, revealed that the privacy watchdog had received 245 notifications of breaches from Australian companies.
The health sector was responsible for 45 breaches; followed by the finance sector (35); legal, accounting and management services (34), and education (16). Organisations in the personal services sector, which includes employment, training and recruitment agencies, child care centres, vets and community services, reported 13 breaches to the OAIC.
“Companies need to be better at respecting the people who put trust in them to safeguard data,” Llewellyn told Computerworld. “Personal data should be considered a toxic asset and minimised/destroyed as soon as possible.”
A failure to lock down access S3 buckets has been linked to a number of high-profile privacy breaches, including a security researcher in 2017 revealing that thousands of records held by Australian government agencies had been inadvertently made available online.
In February last year, Amazon made AWS Trusted Advisor's S3 Bucket Permissions Check available for free to all of the customers of its cloud service. The tool identifies S3 buckets that are publicly available.
Previously it was available only to the service provider’s Business and Enterprise support customers.