Hackers have obtained personal details of more than 70 job applicants by exploiting a flaw in the U.K. government's Universal Jobmatch website. According to U.K. television station Channel 4 News, security checks are not performed on the people who post jobs, and job advertisements go unchecked as well.
A group of hackers seeking to draw attention to the security flaws used clearly false information to register as employers. They then posted a fake advertisement for a cleaning job to the site. Applicants for the job handed over highly sensitive personal details, including national insurance numbers, email addresses, dates of birth, personal addresses and scans of passports. Hackers who are able to collect these kinds of information could easily commit identity fraud, or illegally access applicants' email, bank accounts and other online accounts.
Channel 4 investigators were also able to register to the site within minutes. They have notified the U.K.'s privacy watchdog, the Information Commissioner's Office, of the problem.
User-generated content on forums and other websites has been a growing concern. Basic website security controls scan contributed user content for invalid URLs, malware and malicious script that can cause serious problems. Research issued in May by security firm Imperva highlighted the dangers of user-generated content. Many social media sites run PHP, a common Web development language that can make sites vulnerable to attack.
In a statement about the Jobmatch website, the U.K. Department of Work and Pensions said:
"The site clearly advises jobseekers not to give out personal details like bank accounts or National Insurance numbers until a job offer's been made. Anybody seeking to acquire personal data by publishing fake job adverts should be aware this is potentially an attempt to commit fraud and that is a criminal offence.
"The security of a claimant's data is of the utmost importance to us and we have a number of checks in place when employers register to use the site. Sadly, there will always be a small number of cases where people seek to get around these checks. If someone is being asked for personal information or details beyond their CV [curriculum vitae] we would recommend they alert Jobcentre Plus immediately."
The Universal Jobmatch website can be accessed via the U.K. government portal gov.uk. It was launched on Nov. 19 as a replacement for the Jobcentre Plus website, which Channel 4 News exposed as being vulnerable to fraudsters in 2011.