Recruiters and HR and PII! Oh my!

Morrisec has always been my end goal. It was just taking that initial step into the unknown which held me back. So, when I returned to my paid job after the Christmas holidays and decided that it was time to move on, my initial impulse was not to say, hey, I am going to start my own company! Instead, it was to reach out to recruiters to find a new job.

As many of you looking for a new job have experienced yourself, the steps involved me having conversations with recruiters, updating my resume, and then sending off the document to recruiters and HR departments in the hope that it attracted the perfect role.

What personal information do recruiters and HR departments collect?

Reflecting now on that moment, luckily my resume was just a replication of what is already publicly available on LinkedIn. Had I not had my epiphany and decided it was time to bring Morrisec to fruition, the next step would have been to undergo interviews with prospective employers where I would have been providing a lot of what we call personally identifiable information (PII).

If successful in those interviews, the recruiter or HR manager would request copies of my qualifications, as well as a copy of my marriage certificate, as most of my qualifications are under my maiden name. I would have needed to provide proof of my right to work, such as my birth certificate or passport. I am sure somewhere along the line, someone would have wanted a copy of my driver’s licence, my superannuation details, and my tax file number. I would imagine this would have been from my future employee, but recruiters are undoubtedly collecting this information on behalf of clients and contractors.

So at this stage in my fantastical job search, somewhere out in the world, are multiple copies of my:

• Detailed resume, filled with personal information
• University testamurs and other tertiary certificates
• Marriage certificate
• Birth certificate and/or passport
• Driver’s license
• Superannuation information
• Tax File Number

Why would a threat actor want your information?

Every day, people and their personal and sensitive information are neatly packaged into folders and saved on the systems of recruiters, HR managers and other staff involved in hiring processes. I cannot help but wonder what type of dollar value those neat little folders would fetch on the dark web? Don’t get me wrong, I have not turned to the dark side, yet. But it’s my job as a cybersecurity professional to think like a threat actor. We know that the more complete a profile is on an individual, the more money the profile is worth. I encourage you, as a recruiter or HR Manager, to step into my shoes for a moment and think about what type of data you are currently storing and how complete a profile you are collecting on each of your candidates. A single price like $50 or $100 per candidate does not seem like much, but how many profiles have you accumulated over time?

What are your legislative compliance obligations?

For those HR managers out there, I know you are thinking that the obligations around employee data are not the same as customer data as it is exempt within the Australian Privacy Act. But what about all the resumes and other documents you have kept from past applicants, the ones that did not pass review or their reference checks, or turned down the offer at the last minute? Even those applicants who sent you their resumes, and very kindly included their date of birth, current and expected income, home addresses and personal mobile numbers, this is all personal information. If lost or breached, this data may need to be reported to the Office of the Australian Information Commissioner as only current and past employees are exempt under the Act.

For recruiters, you never actually employ any of your candidates, your clients do. So sorry, none of this data is exempt under the Privacy Act. You need to protect it all!

No one is immune to cyber-attacks including recruiters; while we know HR departments are among the three most targeted areas of any business (alongside IT and Finance). Just googling “recruiter AND cyber breach”, you get a plethora of results (in between the ads for cyber-recruiters that is!)

“I won’t be a target”. Think again!

In late 2021, the hacker group Conti claimed to have gained access to 300 gigabytes (the equivalent to ~93,600 songs) of job applicants and staff of some of Australia’s largest organisations after having gained access to Finite Recruitment’s systems, an Australian recruitment company. The allegations came after the ransom group released 12,000 files, or 35% of the stolen data, including resumes, offers of employment, contracts, timesheets, and vaccine certificates. Finite’s clients consist of Coles, Westpac, and several federal government departments, including the Department of Defence (DoD). Luckily, DoD in a statement to ABC news stated that they did not share any sensitive classified data with the recruitment provider.

This is not the first time the DoD has had to investigate the potential loss of member data due to recruitment breaches. In 2020, Defence Force Recruiting’s outsourced electronic records system, Powerforce, was taken offline after a suspected breach. The database had been in commission since 2003 after the recruitment agency Manpower won the contract. The database contains medical records, psychological records, and summaries of initial interviews with Defence Force personnel.

Not long before the DoD breach, in 2019, the recruitment agency Sales Inventory Profile, handling the screening for First National Real Estate, suffered a breach after more than 6,000 CVs with cover letters were found online.

These are just a few examples of recruiters being targeted. Sometimes an organisation is intentionally targeted due to the value of the data they are holding, and other times it is a lucky dip. Who will click on the link, and what data will the threat actor win? Unfortunately, there is no algorithm to predict who will be next, but I am sure if a data scientist was to invent such an algorithm, they would make a fortune!

What can I do to protect personal information in my care?

But it is not all doom and gloom. There are plenty of things you can do as a recruiter or HR Manager to protect the data that you have been entrusted with, and you HAVE BEEN entrusted with this data.

• Make sure you regularly conduct security awareness training which covers the latest threat actor tactics, what your organisation is doing to keep data secure, and what is expected of employees to keep your data safe.
• Only hold onto the information that you need. And for this data, have strong data retention policies in place which clearly state what data should be deleted once a candidate has been picked and what data is necessary to hold onto. Automating this is where you really want to be.
• Ensure you have multi-factor authentication (MFA) in place for everything, or at least have all your systems behind a single sign-in portal, and that portal uses MFA.
• Know exactly where your sensitive data is kept. Ensure only those that require access to your data can access it. You want to limit the places it is stored to reduce your attack footprint and your risk.
• In your job advertisement, make sure you specifically state not to include information such as date of birth, home address and current salary. For future candidates, make sure you avoid this type of information on their resumes.
• Most importantly, understand that the information you are collecting on candidates needs to be protected, and understand the damage that may be caused to both that individual, and your organisation if that data is lost or stolen.

Where to from here?

Following the recommendations above will put you on the right path to securing your candidate’s personal information, but if you need help, funnily enough, Morrisec has a cut-down version of our cybersecurity risk assessment specifically for HR and recruiters to address this specific issue. This cost-effective assessment focuses directly on all that sensitive information listed above and makes recommendations on how you can protect it going forward. Reach out to me if you want to learn more and start reducing your privacy risk.