- A tech recruiting firm left the personal information of roughly 216,000 people exposed, a researcher said.
- The information included partial Social Security numbers, email addresses, and visa statuses.
- It’s unclear if any unauthorized parties accessed the exposed data.
An IT researcher found that the unsecured files from a tech recruiter’s database included personally identifying information of an estimated 216,000 job seekers — including data like names, phone numbers, passport numbers, visa information, and partial Social Security numbers.
Jeremiah Fowler, the security researcher who co-founded the consulting firm Security Discovery, said he didn’t know how long the data had been exposed but told Business Insider that the database was soon locked once he contacted the recruiter in September. He said New Jersey-based Alltech Consulting Services never responded to his notices.
Alltech representatives also didn’t respond to requests for comment from BI specifically about the security issue.
Fowler on Monday published his security report indicating that Alltech left its database of job candidate information unsecured without a password. That left the personal identifying information of about 216,000 tech job candidates exposed. Because the door was essentially left unlocked, someone trying to steal identities wouldn’t have needed to hack into Alltech’s database — or even search that hard — to find the information, Fowler said.
Alltech says on its website that “more than 1,000 companies” rely on its services to connect them with tech professionals. Business Insider hasn’t been able to verify this independently. BI also contacted the company by calling its main phone number, sending direct LinkedIn messages to its executives, and emailing its main email address.
Two Alltech executives, listed as the company’s owner and vice president on LinkedIn, told Business Insider in direct messages they weren’t aware of any unsecured data or a breach.
Fowler said the data exposed included email addresses, passport numbers, the last four digits of SSNs, and information on work visas. “The records also contained internal notes about their experience, qualifications, and type of job they are looking for,” Fowler said.
Business Insider has reviewed the message Fowler sent to three Alltech email addresses on September 10 disclosing the unprotected data. Fowler has previously flagged cybersecurity issues with a Wi-Fi provider at UK rail stations, a software company used by more than 5,000 US school districts, and a virtual medical provider, among others.
Justin Miller, an ex-Secret Service agent and associate professor of practice of cyber studies at the University of Tulsa, told Business Insider that leaving a database unprotected by a password or any encryption means “anybody could potentially access the database.” It’s unclear, though, if any other unauthorized parties accessed the Alltech data.
Miller and Fowler said that the type of information left exposed by the database, including the last four digits of a Social Security number, could allow a cybercriminal to impersonate a person.
“You’re looking toward identify theft,” Miller said. “Details like names, work history, your visa status, passport numbers, even parts of your Social Security number, allow for bad actors to piece together enough information to steal identities and create fraudulent profiles.”
Fowler added that incidents like Alltech’s — and others he investigates — highlight how important it is for companies to protect their data.
“It also serves as a wake-up call to the industry to review their data security practices and identify vulnerabilities to protect their internal systems and the personal information of the individuals they serve,” Fowler said.
Alltech’s website says it was founded in 1998. It’s unclear why Alltech collected job seekers’ Social Security or passport information. Fowler said job candidates should be “skeptical” of recruiters who ask for personal information as a condition of applying for a job.
Have a tip? Contact the reporters at lloydlee@businessinsider.com and ktangalakislippert@businessinsider.com
