Why not become an employer to snatch personal data?

It’s not really breaking news that personal data can be at risk on internet job portals, as hackers have recently demonstrated with the Guardian Jobs website breach.

But why should you even consider all the hassle to hack the web site if there’s an even simpler way to obtain these data?

As a report in the German newspaper ‘Süddeutsche Zeitung’ reveals, you may only need to claim to be an employer to get access to applicants’ personal data.

An unemployed social education worker from Berlin registered as employer with the job portal of the German federal job agency ‘Bundesagentur für Arbeit’.

Despite your expectations, she was not required to present any evidence of her role as an employer, such as trade licence or company number. Instead, a valid address and a fake vacancy were sufficient.

Within a week, she received her PIN, and was able to browse parts of the applicants’ data where personal information already shows up in clear text. Subsequently, she contacted several applicants and received within just a few days 13 application folders with addresses, phone numbers, CVs, certificates etc. via mail and email.

Job Portal

What makes the data grab even easier is the fact that, after registration, an “employer” can change their contact data without any restrictions, and thus hide their tracks.

No wonder that the German Federal Commissioner for Data Protection, Peter Schaar, is quite outraged about this gateway for data abuse, and has urged the job agency to close it immediately.

The job agency, however, counters that they don’t want to raise the psychological bar for additional job advertisers any higher, and that they’d verify the employers’ identities on a sample basis anyway.

Whether it is a necessary precaution or undesirable deterrence and overhead to thoroughly verify every employers’ identity is a controversial question. Privacy is in competition with a possibly more efficient job service here.

As long as it is this easy to pretend to be an employer and register, however, it is the job agency’s duty to explicitly notify their clients of this fact. This is currently not the case, as I can tell from my own experience with this portal (no, I’m not hunting for a job outside Sophos!). If I were an applicant, though, I’d restrict the personal information in my profile to a minimum and carefully examine to whom I eventually send my CV and certificates.

So what’s the conclusion of this case?

Even the best data leakage prevention technology is useless when there are no proper data handling regulations in place, and when the individuals who submit their data aren’t aware of the consequences.

Job agencies and other service institutions should consider carefully whether to sacrifice the privacy of their users in favour of a small improvement in comfort or efficiency.

When using a publicly accessible database better watch out carefully to what degree you expose your personal data, and don’t shy away from explicitly asking how your data is protected.

In case of doubt, look for another service provider with a better concept of privacy.