Cisco finds itself in an embarrassing position this week after it admitted that one of its websites had leaked the personal details of job applicants.
The leak is especially embarrassing for the firm, as it prides itself on its security credentials. Indeed, it is a major player in the security market and earlier this year bolstered its cloud security offerings with the acquisition of CloudLock.
The leak seems to have occurred on the mobile version of its Professional Careers website, and the firm insisted only “limited” personal information was leaked.
In a letter sent to the US attorney general, Cisco said the flaw had been spotted by an independent security researcher who “discovered that a limited set of job application related-information from the Cisco Professional Careers mobile website was accessible.”
Cisco blamed the fault on an “incorrect security setup” after system maintenance had been carried out.
So what information was leaked?
Well while it didn’t involve the leak of personal banking details, the leak was about as bad as it can get, as the data included names, addresses, emails, telephone numbers, usernames, passwords, answers to security questions, education, profile information, gender, race etc.
This type of personal information of course is goldmine for criminals looking to carry out fraud or identity theft.
Even worse, this information was exposed twice. Once between August and September 2015, and then again from July to August 2016.
So not only did Cisco make this mistake twice, it also seems that it failed to encrypt the data, or hashed the passwords.
Cisco has advised people to change their login, passwords, and security questions. It has also said that users can have 90 day fraud alerts placed on their accounts.
“We do not believe that the information was accessed by anyone beyond the researcher who found and reported the issue,” said Cisco. “However, there was an instance of unexplained, anomalous connection to the server during that time, so we are taking precautionary steps.”
“In the event of information being unintentionally disclosed, we respond immediately to remedy the issue, notify the affected parties, and put additional protections in place,” Cisco told TechweekEurope via email.
“On November 2, 2016, Cisco notified users about an incident where a limited set of job application information was accessible from Cisco’s Professional Careers mobile website.” it told us.
“We take the protection of personal data very seriously, and apologise for any concern or inconvenience this incident may have caused.”
What do you know about Internet security? Find out with our quiz!
Investor appeasement? Apple unveils huge $110 billion share buyback program, as sales of iPhone decline…
Tesla retreats from pioneering gigacasting manufacturing process, amid cost cutting and challenges at EV giant
No skynet please. After the US, UK and France pledge human only control of nuclear…
Microsoft's AI investments continue in south east Asia, after investments in Japan, Malaysia, Indonesia, as…
New chapter for LastPass as it becomes an independent company to focus on cybersecurity, after…
US FCC seeks to ban Chinese telecom firms at centre of national security concerns from…