Brian Honan writes:
Tonight I got an email from the online recruit arm of Bond Personnel, MyJob.ie, to inform me they recently suffered a security breach and were sending me a precautionary email to change my password. While there are no details as to what information the attackers accessed or how they manage to breach MyJob.ie’s security, there are two interesting points to note;
- MyJob.ie say they were not the primary source of the breach. This leads to the question which of their providers were breached?
- The attackers have already been arrested and a file sent to the DPP. If this is the case, when did the breach originally occur and why did it take so long to notify those impacted?
The other question that is of interest is what is MyJob.ie’s data retention policy for holding client data? I have not used that website for well over 10 years, so my data would be well out of date and no longer useful. Indeed in the Data Protection Commissioner’s report for 2008 he mentions a security breach at jobs.ie and highlights they had retained personal data of clients for “an unnecessarily long period of time”.
Read more on Security Watch.
Not surprisingly, Brian is right on the money with his questions. Like the U.S., Europe has failed to enact mandatory data breach notification laws that specify what types of information need to be provided so that consumers can make their own risk assessment and take self-determined steps to protect themselves.
Brian kindly forwarded the e-mail notification he received:
From: [email protected] [mailto:[email protected]]
Sent: 08 September 2011 22:10
Subject: [MyJob.ie] Important AnnouncementMyJob.ie
Dear Honan,
I am writing to bring your attention to a recent security breach on the server hosting Myjob.ie. The breach was quickly identified, and the Gardai have apprehended two individuals who are now the subject of a file being compiled for the Director of Public Prosecutions. Although Myjob.ie was not the primary source of the breach, as a precautionary measure we would ask all users to immediately change their password. Furthermore we would ask you to observe best practice in choosing all internet passwords and do not use the same password for more than one internet service. If you do use the same password for multiple services we would strongly urge you to rectify this immediately by logging into those systems and choosing a new password. Also, please note that reputable companies do not request personal details by email, if a company contacts you do not give any personal information until you have established they are legitimate.
* Never give out personal banking information
* Do not share your passwords with anyone
* Do not open email attachments if you are suspicious, especially .exe files.Please accept our apologies for any inconvenience or distress caused by this precautionary email. Should you wish to contact us please send an email to [email protected]
Yours sincerely,
John Doupe
*** MyJob.ie will never ask for your password, or financial/credit card information. There are no fees for candidates using MyJob.ie ***
I’ve sent an inquiry to myjob.ie seeking additional clarification on the breach and will update this when I get a response.