Name and location of company: FastTrackReflectionReciption Company (now part of TeamResourceingLtd) headquartered in the UK.
Size: 5GB data leakage, 2 1000 exposed file.
Data storage format: AWSS3 bucket.
Affected countries: mainly affect British citizens, although some people come from Europe, West Asia and the United States.
The team of Planetresearch found a misconfigured bucket, which was owned by the company. It was formerly called FastTrackReflection (now called TeamBMS, which is part of TeamResourceing), and exposed resumes containing personal information of thousands of job seekers. Many resumes are accompanied by the applicant's personal ID card, including passport, citizen ID card, driver's license and skilled worker ID card.
The leaked customer data found several document formats in the files in the database, such as. Pdf "and" the resume leaked by the doctor in this violation contains many examples that can directly and indirectly identify the applicant PII.
Personal identification numbers that can be directly identified on your resume include:
Full name e-mail address S3 mobile phone number home address 3 part of the applicant's social network address (such as Linkedin, Facebook, Twitter).
Examples of indirectly identifiable personal identification numbers can also be found in leaked resumes, such as:
Education/professional information personal hobbies/interests
Personal ID attached to many resumes contains other samples of the applicant's PII. Many details that can't be found in the original resume include:
Date of birth passport number applicant's photo
FastTrack stores the applicant's data on AWSS3Bucket, which is a public cloud storage resource that can be rented from AmazonWebServices. However, the server configuration is not Amazon's responsibility.
2 1000 client files (including copies) equivalent to 5GB of data are not protected in the storage bucket of FastTrack. These documents belong to people who cooperate with brands and organizations all over the UK.
The leaked sensitive customer data may be used by hackers for various criminal activities. The following are examples of leaking resumes and personal ID cards.
The latest document we can see comes from February 2020. After trying to apply for a job through FastTrack's website, no new records appeared on the server. In view of the recent merger of FastTrack, people think that the server is not real-time when it is discovered and is not updated regularly.
Thousands of people may be affected. A large number of resumes and ID cards are stored in the database. Even if every applicant has to upload a resume and an ID, more than 10,000 people will be affected. We don't know the exact ratio of cv to id, although people think that there are more CVs than IDs stored in the database. Information of other contacts (such as professional references) may also be exposed.
FastTrack mainly cooperates with companies located in the UK, and several foreign citizens are involved in this violation. However, these nationals are probably British residents, and we are not aware of any international business of FastTrackReflection.
As a result of this exposure, FastTrack may be subject to GDPR and the British "20 18 Data Protection Act" legislative action.
FastTrackReflection is a recruitment company focusing on the building management system (BMS) industry. 202 1 1 At the end of the year, FastTrackReflection recruitment company (now called "TeamBMS") merged with its sister company "TeamSales". The merged company is owned by EmpresariaGroupPLC, named TeamResourceing, and one of its departments is "TeamBMS".
FastTrack Recruitment is a business-to-business company, which has purchased BMS talents for large-scale projects all over the UK. FastTrack (or TeamBMS) mainly cooperates with British citizens, and we don't know whether the company operates at the international level. Records of citizens from Europe, West Asia and the United States can be found on the FastTrack server, although many of these foreign citizens may live in the UK.
CV has been identified from this group. Some of them include passports, driving licenses and certificates of skilled workers. Several different types of personal ids published in different countries were found in FastTrack's database.
Who leaked the data? Fast Track Reflection Recovery, now TeamBMS, has more than 20 years of recruitment experience in the building management system industry.
FastTrack facilitates the design, debugging and service of building management system. FastTrack, headquartered in West Sussex, England, has been used in world-famous building projects in Britain.
FastTrack provides recruitment for skyscrapers such as Bishop 22, Fenchurch Street 20 and Shade, not to mention stadiums (Wembley and Olympic Stadium), tourist terminals (Heathrow Terminal 5 and Crossrail) and other private projects (Baicheng, AstraZeneca and Battersea Power Station).
This data leak may be caused by human error of FastTrackReflectIT team/service provider. Amazon is not responsible for the configuration of FastTrack database, nor for this data leakage.
Impact on the applicant Although the AWSS3 bucket of FastTrack is unprotected and unsafe, we have no way of knowing whether any illegal hackers have found the open bucket, downloaded, leaked or distributed any customer data of FastTrack.
However, if you are exposed, please be aware that hackers may have accessed the server. Hackers can use your personal data for many different criminal activities.
Address fraud, identity theft, identity theft and fraud-names, addresses, emails, phone numbers and personal details (such as personal education and professional information) can be used by hackers to identify relevant victims-gain access to accounts, build trust with victims' colleagues, or lock these victims through fraudulent attacks across multiple platforms. For example, by name and address, hackers can change your postal address to the location of their choice, intercept bank receipts and financial emails, and use these details to order checks and new credit cards from your account. Fraud, Phishing and Malware-Criminals can contact victims by email or telephone to build trust in their personal information. On the phone, these criminals may try to defraud the victims of money or find information that may make them engage in other criminal activities. Through email, criminals can induce people to click on a link from which malicious phishing and malware can be downloaded to the victim's device. Corporate espionage-Other companies may discover the customer list of FastTrack and try to find out their information from FastTrack, or understand how FastTrack conducts business. Theft-Personal information, especially home address, may be used against the families of fast-track customers who commit theft or robbery.
The data privacy law FastTrack's business is aimed at individuals all over the UK. Although we don't know all the laws that FastTrack may abide by, we can imagine that FastTrack will be censored by the government. Fast track violates GDPR law because of its influence on EU citizens. No matter where the data of EU citizens are mishandled in the world, GDPR will exert influence. GDPR believes that companies need to handle data safely and take technical and organizational measures. The maximum penalty for violating GDPR is a fine of about 20 million euros, or 4% of the annual turnover of the relevant company (whichever is higher).
Since Brexit, Britain has retained GDPR laws in the form of "20 18 Data Protection Act". According to the Act, the maximum fine is about 20 million euros, or 4% of the company's annual turnover (whichever is higher). FastTrack failed to report its violations, so it may face a fine of 6.5438+million euros, or 2% of its annual turnover.
Business loss This data leakage may also damage the reputation of FastTrack, leading to "negative publicity" and reducing companies and customers willing to do business with FastTrack.
Failing to properly protect the data of its customers, FastTrack puts these people at risk of criminal activities. There is a trust fracture between FastTrack and its customers, and customers may transfer their business to other recruitment companies.
Competitors of competitive spy FastTrack can see the leaked customer list. These competitors can contact FastTrack customers and steal this business from FastTrack.
Competitors disguised as customers or business members can contact FastTrack (now TeamBMS). After building trust through customer information and personal data, hackers can learn more about FastTrack business operations.
The situation of data leakage All the exposed data are accurate and related to the customers recruited by FastTrackReflection (now called TeamBMS). All the records found in this exposure belong to real people.
Leak +65438 was discovered on February 29th, 2020. After several days of research, we found that this bucket belongs to FasTrackReflection.
202 1 65438+1October 12 and 15 contacted FastTrackReflection about the exposure information, and contacted TeamResourceing on March 20265438+March1. After many attempts to contact the company, the host