The Australian office of hacked recruiter Drake International say details in a candidate database stolen by hackers last week posed no risk to affected individuals -- but it has nonetheless reported the breach to the Australian Information Commissioner’s Office.
“Drake International has notified The Office of the Australian Privacy Commissioner and Privacy Commissioner’s Office (New Zealand) of the security breach and we are taking steps to notify affected clients and candidates in Australia and New Zealand,” Drake’s Australian national marketing manager Alexandra Tidy told CSO.com.au by email.
The firm’s Canadian headquarters confirmed last week that hackers had made off with a database said to contain details of over 300,000 candidates from Australia, New Zealand, the UK and Canada. The breach occurred on the January 7, according to Tina.
The hackers had demanded a US$50,000 payment by the end of last week in exchange for not publishing it on the Web.
Drake refused to negotiate with the hackers who on Sunday published the database on Multiupload.nl, noting on Twitter that they had "1000s of email/password combos" -- potentially valuable to hackers if the candidates had used the same combinations for other online services.
The URL however has been taken down for a breach of terms while the MD5 hash of the file it hosted was removed upon a takedown request. CSO.com.au has been unable to locate a copy of the database, which the hackers claimed included email/passwords combinations, candidate's referees, phone contacts and details about some of Drake's clients.
Drake’s Tina said these details did not pose a risk to those affected by the breach.
“Drake International wishes to stress that the data security breach was limited in scope and does not pose a risk to affected individuals,” Tidy said in an email.
“Our databases do not store personal\business tax identification numbers, government identification numbers nor any personal\business banking details.”
A small snippet of details released by the hackers last week suggests the database did not contain as much detail as a leak last year of finance sector IT recruiter ITWallStreet.com, which was said to contain 50,000 candidates’ user names and passwords, in addition to logs of phone calls made between recruiters and candidates and email exchanges. Tidy would not disclose how many Australians were amongst the 300,000 affected by the breach, besides that their numbers were “small in comparison to the overall numbers of our candidates and clients.”
“Drake International is not at liberty to disclose such information to you as we are still in the process of notifying the affected individuals,” she said.