Michael Page Recruitment hacked - all passwords compromised

Michael Page blames Capgemini for hack via insecure "development server" left online

Recruitment firm Michael Page has admitted that it has been hacked, with all passwords compromised. The company claims that the hack took place at the beginning of the month.

In an email to clients, it warned that names, email addresses and passwords were all accessed by hackers unknown, although adds that the passwords, at least, were encrypted.

The company claims that the attackers gained access via a development server used for testing PageGroup websites by its IT services provider Capgemini.

"We regret to inform you that on 1 November 2016, we were made aware that an unauthorised third party illegally gained online access to a development server used by our IT provider, Capgemini for testing PageGroup websites," the company admitted in its email.

"We are sorry to tell you that the details you provided as part of your mypage subscription have been identified as amongst those accessed... Since we identified that your data was accessed, we have worked non-stop to fix this issue with Capgemini, who are a global leader in consulting, technology and outsourcing services," it continued.

The email added: "We immediately locked down our servers and secured all possible entry points to them. We carried out a detailed investigation into the nature of what happened."

It also suggested that the data had not been "taken with any malicious intent" and had requested that the attackers "destroy or return copies" of the data. "They have confirmed that they have already destroyed it and we are confident that they have done so," claimed Michael Page.

However, Michael Page clients, who include many working in IT, were less than impressed, especially with the use of personal, production data on a development server without at the very least encrypting and anonymising it.

"You were entrusted with my data and you have broken that trust by putting my data on a development server and without anonymising it," wrote one client.

They continued: "This is a truly shocking lapse of control by both you and Cap Gemini. It is one of the most basic rules that you do not use personal data in this way - I've been in IT for over 30 years and in every environment I have worked in, any data that contains personal information has been confined to production environments only."

Michael Page clients have demanded to know why it took ten days to inform users, where the development server was located and the data protection rules applicable, why a development server was made accessible via the internet and whether either Michael Page or Capgemini operated "controlled administrator-level access" to the server.

Computing has contacted Michael Page, putting these and other questions to the company and will update the story when we receive the company's response.

Computing's Enterprise Security & Risk Management Summit returns on 24 November. Entrance is FREE to qualifying IT leaders and computing professionals, but places are going fast, so register now.