Drake reports 300k breach to Oz watchdog, but says no risk to affected

Hacked recruiter stays mum on number of Australians and New Zealanders caught in ransom standoff.
  • Liam Tung (CSO Online)
  • — 16 January, 2013 15:57

The Australian office of hacked recruiter Drake International say details in a candidate database stolen by hackers last week posed no risk to affected individuals -- but it has nonetheless reported the breach to the Australian Information Commissioner’s Office.

“Drake International has notified The Office of the Australian Privacy Commissioner and Privacy Commissioner’s Office (New Zealand) of the security breach and we are taking steps to notify affected clients and candidates in Australia and New Zealand,” Drake’s Australian national marketing manager Alexandra Tidy told CSO.com.au by email.

The firm’s Canadian headquarters confirmed last week that hackers had made off with a database said to contain details of over 300,000 candidates from Australia, New Zealand, the UK and Canada. The breach occurred on the January 7, according to Tina.

The hackers had demanded a US$50,000 payment by the end of last week in exchange for not publishing it on the Web.

Drake refused to negotiate with the hackers who on Sunday published the database on Multiupload.nl, noting on Twitter that they had "1000s of email/password combos" -- potentially valuable to hackers if the candidates had used the same combinations for other online services.

The URL however has been taken down for a breach of terms while the MD5 hash of the file it hosted was removed upon a takedown request. CSO.com.au has been unable to locate a copy of the database, which the hackers claimed included email/passwords combinations, candidate's referees, phone contacts and details about some of Drake's clients.

Drake’s Tina said these details did not pose a risk to those affected by the breach.

“Drake International wishes to stress that the data security breach was limited in scope and does not pose a risk to affected individuals,” Tidy said in an email.

“Our databases do not store personal\business tax identification numbers, government identification numbers nor any personal\business banking details.”

A small snippet of details released by the hackers last week suggests the database did not contain as much detail as a leak last year of finance sector IT recruiter ITWallStreet.com, which was said to contain 50,000 candidates’ user names and passwords, in addition to logs of phone calls made between recruiters and candidates and email exchanges. Tidy would not disclose how many Australians were amongst the 300,000 affected by the breach, besides that their numbers were “small in comparison to the overall numbers of our candidates and clients.”

“Drake International is not at liberty to disclose such information to you as we are still in the process of notifying the affected individuals,” she said.

Today's Approach to Security is Broken

READ THIS ARTICLE
DO NOT SHOW THIS BOX AGAIN [ x ]
Comments are now closed.
CSO Corporate Partners
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Business Risk Management Solutions

Create and deliver online assessments to identify business risks and track their mitigation and resolution.

Latest Jobs
Security Awareness Tip

Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).


  1. Have an incident response plan.

  2. Pre-define your incident response team 

  3. Define your approach: watch and learn or contain and recover.

  4. Pre-distribute call cards.

  5. Forensic and incident response data capture.

  6. Get your users on-side.

  7. Know how to report crimes and engage law enforcement. 

  8. Practice makes perfect.

For the full breakdown on this article

Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.