French Job-Seeking Platform Exposes 14 Million Records Online
Last updated November 26, 2019
- Groupe Phosphore has exposed thousands of businesses and individuals via two databases.
- The unprotected databases were left online for at least 40 days, so the owner didn’t respond quickly.
- The implications from the exposure are dire, as the data that is contained is very sensitive.
As discovered by security researchers Noam Rotem and Ran Locar, the French job-seeking platform "Groupe Phosphore" has left two databases accessible online without setting up a password. The incident exposes small businesses in France and Belgium, as well as many thousands of individuals. The two databases are named "Henrri" and "Rivalis", which concern the company’s invoicing platform and professional support and consultancy network respectively. This means that each database contains data from clients who use these two software solutions, and the implications of this are major.
The researchers discovered the two databases on October 7, 2019, but the company responded to their repeated messages more than a month later. The date when the Groupe Phosphore team finally secured the databases was November 20, 2019, so the data remained accessible for at least 40 days. The databases contained a total of 14 million records and had a combined size of about 17.2 GB. The researchers analyzed this data and found out the details of 27,286 small businesses and 339,787 private individuals. As for what kind of data was exposed, it was mainly the following:
Business Data:
- Company names and ID numbers;
- Owner contact details;
- Corporate capital value;
- SIRET, ICT, NAF, RCS numbers for French business and governmental services;
- Total revenue numbers & revenue of invoices and quotes;
- Monthly fiscal details such as goods & workforce revenues.
Source: VPN Mentor
Individuals Data:
- Resume;
- Full name and gender;
- Email address;
- Phone number;
- Marital status;
- Professional qualification.
Source: VPN Mentor
As it becomes obvious from the above, the impact is both wide and deep, as the exposed people and businesses will now face a severe risk of being targeted by hackers and scammers. It also raises many concerns about the general security practices that are followed by Groupe Phosphore, who owns another 15 firms and market a large number of business-grade software products.
Finally, considering the amount of data and their importance, the possibility of a class lawsuit against them cannot be ruled out. The businesses will certainly seek explanations and compensation, but something similar will be a lot harder to do for the exposed job applicants. If you have submitted a job application through Rivalis, beware of financial and identity fraud efforts against you. In any case, you can even contact the French data protection authority and report the incident to them. If enough people do it, the authorities will investigate the occurrence.
Do you have something to comment on the above? Share your thoughts with us in the section down below, or join the discussion on our socials, on Facebook and Twitter.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular