Recruitment firm chided after 7,500 CVs left unsecured on its website

A recruitment firm has been reprimanded by the Information Commissioner’s Office (ICO) for leaving the details of nearly 7,500 CVs on its database unsecured on its public website.

The site, Janetpage.com, is a hub for those in the care industry, and the ICO was alerted to the fact that the supposedly secure website for firms seeking staff – where 7,435 CVs were stored – was completely open to anyone visiting the website.
The company was unaware of this error and when alerted to it said it may have been caused by a hack on its system, although no evidence was able to support this.
"At the time of the incident, the data controller believed that the section of the website, in which the CVs were stored, had been hacked by an individual seeking work. However, the data controller has been unable to provide any technical evidence to support this assumption," it said.
In its report on the issue the ICO said those running the website staff lacked the technical know-how to install such a system and were not trained on data protection measures.

“The data controller failed to ensure appropriate technical security measures were in place to provide an adequate level of protection. In the Commissioner’s view, this demonstrates a lack of data protection awareness with regards to technical security matters,” it said.

“Furthermore, the Commissioner’s investigation revealed that the data controller did not have sufficient data protection training, and that its information security policy and procedures were lacking.”

The firm has now signed an undertaking agreeing to stronger data protection measures including better website security and improved training for staff on data protection issues.

V3 contacted Janetpage for comment on the investigation and subsequent undertaking, but had received no reply at the time of publication.
ICO spokesperson said the case underlined the importance of ensuring any data passed on by members of the public is kept secure.

“The candidates who sent their CVs into the Janet Page website were told that the information would only be shared with employers looking to recruit new staff,” they said.

“This did not happen and the website owner has now agreed to review their current practices to make sure that candidates’ information is kept secure.”