CyberCrimeSecuritySecurity Management

Cisco Admits Incorrect Security Setup Caused Job Applicant Data Leak

Tom Jowitt is a leading British tech freelance and long standing contributor to TechWeek Europe

Privacy facepalm. Personal details of people applying for jobs at Cisco leaked from unsecure website

Cisco finds itself in an embarrassing position this week after it admitted that one of its websites had leaked the personal details of job applicants.

The leak is especially embarrassing for the firm, as it prides itself on its security credentials. Indeed, it is a major player in the security market and earlier this year bolstered its cloud security offerings with the acquisition of CloudLock.

Limited Information?

The leak seems to have occurred on the mobile version of its Professional Careers website, and the firm insisted only “limited” personal information was leaked.

In a letter sent to the US attorney general, Cisco said the flaw had been spotted by an independent security researcher who “discovered that a limited set of job application related-information from the Cisco Professional Careers mobile website was accessible.”

Cisco blamed the fault on an “incorrect security setup” after system maintenance had been carried out.

HPE“The issue was immediately fixed and passwords to the site have been disabled. Because Cisco takes its responsibility to protect information seriously, and since many people use the same passwords on multiple websites, we wanted to alert you to this incident,” it said.

So what information was leaked?

Well while it didn’t involve the leak of personal banking details, the leak was about as bad as it can get, as the data included names, addresses, emails, telephone numbers, usernames, passwords, answers to security questions, education, profile information, gender, race etc.

This type of personal information of course is goldmine for criminals looking to carry out fraud or identity theft.

Even worse, this information was exposed twice. Once between August and September 2015, and then again from July to August 2016.

So not only did Cisco make this mistake twice, it also seems that it failed to encrypt the data, or hashed the passwords.

Cisco Statement

Cisco has advised people to change their login, passwords, and security questions. It has also said that users can have 90 day fraud alerts placed on their accounts.

“We do not believe that the information was accessed by anyone beyond the researcher who found and reported the issue,” said Cisco. “However, there was an instance of unexplained, anomalous connection to the server during that time, so we are taking precautionary steps.”

“In the event of information being unintentionally disclosed, we respond immediately to remedy the issue, notify the affected parties, and put additional protections in place,” Cisco told TechweekEurope via email.

“On November 2, 2016, Cisco notified users about an incident where a limited set of job application information was accessible from Cisco’s Professional Careers mobile website.” it told us.

“We take the protection of personal data very seriously, and apologise for any concern or inconvenience this incident may have caused.”

What do you know about Internet security? Find out with our quiz!