UK Recruitment Agency Exposes Sensitive Data Through Unprotected Database
- Recruitment company Nohow has left the sensitive data of over 12,000 people exposed in an unprotected Azure blob.
- The company has failed to respond to the notices, so the data remained accessible for at least a month.
- The leaked info includes sensitive document scans, IDs, passports, banking details, email addresses, etc.
Over twelve thousand people have had their sensitive data exposed online after Nohow International has failed to properly secure its database. The discovery of the unprotected Azure blob was the work of researchers from the CyberNews team, who informed Nohow, a UK-based staffing and recruitment agency, on December 8, 2020.
Receiving no response a week after, they reported the leaking blob to Microsoft, and the tech company finally secured it in early January 2021. The 12,464 files in the database contain extremely sensitive information in the form of images, PDF documents, and even email messages.
The types of files found there include the following:
- National ID cards
- Passport scans
- Birth certificates
- Employment contracts
- Tax returns
- Taxpayer reference numbers
- National insurance cards
- Full banking details
- Email addresses
- Full names
- Signatures
- UK National insurance numbers
- Addresses
The potential for exploitation for someone holding the above documents goes wide and deep, as we’re basically talking about full identities. Most notably, high-level criminals would use these to forge fake documents, perform identity theft, and also engage in banking fraud. To make matters even worse, many of the exposed individuals are blue-collar workers who immigrated to the UK to seek a better life and who are already in a somewhat vulnerable position.
According to CyberNews, most of the data comes from Lithuanian, Polish, African, and Caribbean citizens. Nohow accepts these applicants’ files, performs “prequalification checks,” and then connects these people with its clients, who are UK-based construction companies looking for a cheap workforce. Because these people are in need and simultaneously hoping, they don’t think twice before they provide Nohow with all their details, and the firm has just betrayed this trust.
If you are one of these people, you will have to report any signs of identity theft to the authorities immediately. Also, keep an eye on your bank accounts and statements and notify your bank and creditors if you see anything weird or inexplicable.
Finally, replace your national ID and passport and ask the authorities to invalidate the current ones as soon as possible. Remember, if things get out of control and someone abuses your personal details for their purposes, finding a way out of the trouble you’ll get yourself in will be quite hard.