Recruitment agency data security

Forums › Off topic › Recruitment agency data security

andrewNZ

2487 posts

Uber Geek
Inactive user

#280061 24-Nov-2020 19:58

Today I received an email from a recrutment firm asking me to update my details. I believe the email is genuine.

I clicked the link, and after several redirects, was greeted by a survey form containing my name, phone number, email address and job title. Had they had the information, I believe it would also show my general location and my current employer.

Alarm bells are ringing, I don't know what other information they have, it's been several years since I've dealt with them.
Is there any legitimate secure way my information could be being stored, or is it likely just in a unsecured, web facing database?
Should I be demanding that they remove my details immediately?
Am I over reacting a little?

1 | 2

BDFL - Memuneh
79294 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#2609989 24-Nov-2020 20:28

"Today I received an email from a recrutment firm asking me to update my details. I believe the email is genuine."

If it is genuine and they have information you have previously provided, they probably would like to get it confirmed or up-to-date to maintain their pool of candidates.

Any reason why you think the data wouldn't be secured? Because it was available through a link without login?

You can always ask them to remove the data and reply confirming it was done: Office of the Privacy Commissioner | Correction of personal information

andrewNZ

2487 posts

Uber Geek
Inactive user

#2610019 24-Nov-2020 20:48

The intention of the email, and the origin of the data is clear, and isn't an issue.

The question is if the data can be stored securely. I clicked an email link, there was no form of authentication other than what was contained in the email, that doesn't seem right to me.

I'm not in any way familiar with the methods of storing or accessing data securely. That's why I asked here.

If I find out they are presenting my information to the world, I will absolutely ask them to remove my details.

freitasm

BDFL - Memuneh
79294 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#2610021 24-Nov-2020 20:51

If the data is available through a link, without authentication, then it's not secure. That link could be held by intermediary proxy servers (if any), crawled by search engine bots, crawled by bad bots harvesting personal information, etc.

Contact them and explain the situation. You have the right to have that data removed as per link above.

wired

187 posts

Master Geek

#2610033 24-Nov-2020 21:23

I think it is right to be concerned about what it being kept about you. Last time I heard, personal information was worth more on the black market than credit card details, that’s how valuable it is. (Can’t find that reference now)

The other question for me is whether they are retaining information about you and using it for a purpose other than what it what it was collected for (principle 9). For example if it was collected for the purposes of applying for a particular job and that job recruitment is long gone, then what is their purpose continuing to hold that information.

The new Act introduces new requirements for overseas companies doing business in NZ and for processing your data for their benefit on non-nz servers (new principle 12) which is an interesting read.

suggest you follow the link above and a general read around the site.

cheers,

andrewNZ

2487 posts

Uber Geek
Inactive user

#2610090 24-Nov-2020 22:24

This is a NZ company.
I believe the information held, and the reason for keeping it is reasonable in this case. They have contacted me with potential job opportunities in the past.

Either way, I have asked them to remove my information. We'll see what comes of it. I see no provision in the act for data removal, only corrections.

itxtme

2102 posts

Uber Geek

#2610100 24-Nov-2020 23:13

If it linked to a page there must be a means to show that it is you. IE. bring up said details. They could be using a token methodolgy within the URL, which can be 100% secure. What does the URL look like? Maybe blank out portions of it for security.

andrewNZ

2487 posts

Uber Geek
Inactive user

#2610103 24-Nov-2020 23:28

The url looks kind of like this

https://xxxxx.co.nz/?surveyId=a1b&hf=12345678&eId=12345678&utm_campaign=website&utm_source=Herefish&utm_medium=Email

Quic Broadband

Move to New Zealand's best fibre broadband service (affiliate link). Free setup code: R587125ERQ6VE. Note that to use Quic Broadband you must be comfortable with configuring your own router.

gzt

17140 posts

Uber Geek

Lifetime subscriber

#2610111 24-Nov-2020 23:53

On one level this depends how unique the link is. Can you simply alter the link and retrieve someone else's information? If the answer is a simple yes, then there is a serious legal problem for that company.

In the case where the link has an acceptable level of uniqueness this is still not a great practice imo because ..technical stuff about email..

lxsw20

3552 posts

Uber Geek

Subscriber

#2610121 25-Nov-2020 03:28

I think until there is something along the lines of GDPR in place (yes it's not perfect) where there are financial penalties about being slack around personal data security, very little will be done to keep user information safe.

andrewNZ

2487 posts

Uber Geek
Inactive user

#2610130 25-Nov-2020 06:52

I couldn't immediately find a way of altering the url to access someone else's details, but I also don't understand how the url is constructed.
It looks to me like someone who knows how the url structure works would be able to manipulate it.

Security by obscurity doesn't seem great for personal data.

SirHumphreyAppleby

2847 posts

Uber Geek

#2610131 25-Nov-2020 07:03

itxtme:

They could be using a token methodolgy within the URL, which can be 100% secure. What does the URL look like? Maybe blank out portions of it for security.

A HTTP GET request should never be considered secure as they may appear in logs for proxies and in the case of e-mailed links, in spam filter logs.

I consider this an acceptable compromise for something simple like mailing list management (name, e-mail address and subscriptions), but not adequate for protecting personal information.

1101

3122 posts

Uber Geek

#2610238 25-Nov-2020 09:39

All that data you give them will be stored on their servers , or/and PC's
Its only as secure as their internal security setup , rules & procedures
Its only as secure as their semi trained staff behind the keyboards , thats often where it all breaks down . There have been horror stories of breaches caused by staff in many industries .

If they decide the share your info (for whatever reason) then its even less secure

When they forward your CV & personal info to potential employers , consider all security gone .
Just the way it is. Somethings are beyound your control so may not be worth worrying over .

MikeAqua

7785 posts

Uber Geek

#2610329 25-Nov-2020 11:35

1101:

When they forward your CV & personal info to potential employers , consider all security gone .
Just the way it is. Somethings are beyound your control so may not be worth worrying over .

As an employer/employee I've never encountered an HR firm that does this.

As employer I've been advised by an HR firm that they has several strong candidates on file ad will encourage them to apply.

As an employee like a lot of people I've gotten targeted emails/phone calls from HR firms.

An HR firm is likely to guard their candidate book jealously and leverage it to get revenue from the employer.

Mike

BlinkyBill

1443 posts

Uber Geek
Inactive user

#2610429 25-Nov-2020 12:31

You provide your details to recruitment agencies for the express purpose of them giving them to someone else - hopefully with your permission. I sometimes get speculative approaches with redacted personal info, which I can then cross reference with Linkedin or contacts to see who is on the market.

most recruitment firms have pretty low standards, if you ask me.

Fred99

13684 posts

Uber Geek

#2610442 25-Nov-2020 12:49

There's also other data that they may have on file, police check, medical information, notes from reference checking, interviews, psychometric tests, notes about that post you made on Facebook when seriously drunk in 2012, etc.

Could be interesting to make a Privacy Act request. I bet they won't like it.

1 | 2