Government To Fix Jobs Website Security After Hackers Post Fake Ads

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

DWP on the case after fake job ads raise fears of data theft on the government service

A new government jobs website is to have a number of security holes filled after hackers found ways of exploiting the system to gain personal data.

The Universal Jobmatch site, accessed via the recently-launched GOV.UK service, has been under scrutiny since a dubious ad for a spy job, which referred to fictional spy James Bond, appeared online. It later turned out that pranksters had gotten around security controls to post the fake ad.

Subsequently, a Channel 4 investigation found hackers had grabbed personal information by posting fake ads asking for data. They were able to retrieve passwords, national insurance numbers and scans of passports from their scams.

Gov jobs website looking for ‘babes’?

In the past week, a slew of fake ads have made their way onto the jobs website. The Johnny Void blog, which had previously described the site as a “scammer’s paradise”, today reported on a job ad from ‘Cosa Nostra Holdings International Couriers’, which appeared to be looking for drug smugglers.

“We are looking to take on three international couriers, ideally with their own transport, who can travel to our production hub in Amsterdam to collect high value packages and bring them into the UK to pass on to our national distribution network,” read the job ad, which has now been removed.

Another ad that made it onto the site sought female presenters “for home internet work for internet babe chat”.

Faced with a barrage of bad press and fears over the job website’s security, a Department of Work and Pensions (DWP) spokesperson told TechWeekEurope that improvements were being made on the technical side to shore up site security. The enhancements will include greater scrutiny of the content of job ads.

“There have always been checks in place, but as a result of the breaches, [we are doing more],” the spokesperson said.

The improvements will go on top of current checks, which have proved ineffective at stopping fake ads. Those checks include vetting of employers who sign up to the service and removing them once they have been caught breaking site rules.

In a statement, the DWP added: “The security of a claimant’s data is of the upmost importance to us and we have a number of checks in place when employers register to use the site. Sadly, there will always be a small number of cases where people seek to get around these checks.

“The site clearly advises jobseekers not to give out personal details like bank accounts or National Insurance numbers until a job offer’s been made. If someone is being asked for personal information or details beyond their CV we would recommend they alert Jobcentre Plus immediately.”

Are you a security expert? Find out with our quiz!