According to Channel 4 News, a group of hackers recently took advantage of the lack of security on the UK government's new Universal Jobmatch Web site to collect dozens of job applicants' personal data.
"A fake ad posted by a group of hackers seeking to draw attention to the security flaws was able to harvest the personal details of over 70 jobseekers," Channel 4 News reports. "Using clearly false details the hackers registered as an employer and gained access to the site posting a fake ad for a cleaning job which went live seemingly unvetted."
"Applicants for the job handed over highly sensitive personal details, including national insurance numbers, email addresses, dates of birth, personal addresses and scans of passports," writes SearchSecurity's Moriah Sargent. "Hackers who are able to collect these kinds of information could easily commit identity fraud, or illegally access applicants' email, bank accounts and other online accounts."
"The website’s security vulnerabilities have been reported to the UK’s privacy watchdog, the Information Commissioner’s Office, which is tasked with enforcing the country’s data protection laws," writes Computer Weekly's Warwick Ashford.
"The Department of Work and Pensions said in a statement that the site clearly advised jobseekers not to give out personal details like bank accounts or National Insurance numbers until a job offer was made," PublicService.co.uk reports. "'Anybody seeking to acquire personal data by publishing fake job adverts should be aware this is potentially an attempt to commit fraud and that is a criminal offence,' a spokesman said."
"The DWP told the Guardian that the site was still being piloted before a national rollout and that manual checks alongsideas well as automated checks were taking place to combat the problems," write The Guardian's Shiv Malik and Rachael Day. "The DWP said all new registering employers would now be checked manually to ensure they were genuine."