Millions of jobseekers could be at risk after private data leaked online by recruitment firm

News
By
published

Hundreds of thousands of records found in unprotected database

An abstract image of a cloud raining data.
(Image credit: Pixabay)
  • Over 200,000 records of jobseekers were left exposed in a database
  • The records included sensitive PII that could be used in scams and fraud
  • It isn't known how long the database was left exposed, or who accessed it

Over two million records belonging to Alltech Consulting Services have been discovered by cybersecurity researcher Jeremiah Fowler in a non-password protected database.

Included within the exposed data is the personally identifiable information of over 216,000 job seekers, including names, phone numbers, email addresses, the last four digits of their SSN, passport numbers, and work authorization visa status.

Alltech Consulting Services work with over 1,000 organizations to source employees in the IT and engineering industries.

Tons of data exposed

The database has since had public access removed, but employer details were also contained within the database such as names, company names, email addresses, and phone numbers, along with applicant data including salary expectations, employment history, and if they were willing to relocate for the job.

Considering the general salary weighting for senior IT and engineering roles, many of those who have had their data leaked from the database would be prime targets for cybercriminals looking to extort victims in spear phishing campaigns or commit fraud and identity theft using their details.

The details contained within the database could also be used to target individuals with fake job offers, with Fowler pointing out that $737 million was lost to fake job offers between 2019 and 2023, with fake job scams rising by as much as 110% between 2022 and 2023.

“Although the records indicated the files belonged to Alltech, it is not known if they managed the unencrypted database or if it was managed by a third party," Fowler also stated in his writeup.

"It is also unknown how long the records were exposed or if anyone else accessed them, as only an internal forensic audit can identify that information.”

The FBI recently released a warning about a series of job offers that scam victims out of cryptocurrency, and web developers have been targeted with malware hidden in Python packages by North Korean hackers.

You might also like

Benedict Collins
Benedict Collins
Staff Writer (Security)

Benedict has been writing about security issues for over 7 years, first focusing on geopolitics and international relations while at the University of Buckingham. During this time he studied BA Politics with Journalism, for which he received a second-class honours (upper division),  then continuing his studies at a postgraduate level, achieving a distinction in MA Security, Intelligence and Diplomacy. Upon joining TechRadar Pro as a Staff Writer, Benedict transitioned his focus towards cybersecurity, exploring state-sponsored threat actors, malware, social engineering, and national security. Benedict is also an expert on B2B security products, including firewalls, antivirus, endpoint security, and password management.