6 Dec 2012

Hackers use government jobs site to steal your data

A new government jobs website has been described as a “scammer’s paradise” as a Channel 4 News investigation reveals major security flaws.

Hackers have obtained the personal details of scores of job applicants taken from the government’s Universal Jobmatch website in a bid to highlight the site’s vulnerability. The leaked data includes passwords, national insurance numbers and even scans of passports.

The Universal Jobmatch website was launched on 19 Nov and is accessed via the government portal gov.uk. It replaces the Jobcentre Plus website, which was exposed by Channel 4 News as being vulnerable to fraudsters in 2011. At the time the Department of Work and Pensions told us each advert would now be “checked for legal compliance” before going live.

The new site allows jobcentre staff to monitor the activity of jobseekers, checking what jobs have been applied for and suggesting new jobs. But there are no security checks performed on the people who post jobs, so our investigation was able to register as an employer in minutes.

Fake ad

A fake ad posted by a group of hackers seeking to draw attention to the security flaws was able to harvest the personal details of over 70 jobseekers.

Using clearly false details the hackers registered as an employer and gained access to the site posting a fake ad for a cleaning job which went live seemingly unvetted.

They were then able to quickly harvest personal information including passwords and passport and driving licence scans that can be used to for identity fraud or allow them to illegally access email and even online bank accounts of applicants.

Channel 4 News has drawn this problem to the attention of the information commissioner’s office for investigation.

The hacking group explained that with information like this a number of options were open to them to use this information for criminal ends, including: selling data on “darknet forums”, obtaining prepaid debit cards or insolvency bank accounts, verifying and stealing funds from Paypal and taking out payday loans.

The hackers also claimed they could now hijack other accounts as many of the passwords they obtained from their fake ad also work for the victims’ email, eBay and Paypal accounts.

A breach of trust

Shima Moradi was "shocked" when she learned her details had been leaked from a government run jobs website. She has been looking for work for almost two years and says that her confidence has been shaken by the breach of her data privacy.

"You're putting information out for the government to help you find a job and it's being leaked, it's a shame."

The 20-year-old from north London explained she is keen to find work but is frustrated by a stagnant jobs market and lack of quality positions.

"I have applied for a lot of jobs but I didn't think any of them look suspicious, I found out about that website through the jobs centre so I mostly apply through there."

"I have been finding it quite difficult landing a job, I've been putting myself out there and handing out a lot of CVs, applying to online jobs."

Keen jobseekers like Shima could be providing easy prey for scammers who want to harvest personal details or recruit people into roles that are not legal.

She explained she regularly receives email spam for fake jobs and even received one phone call for a job she didn't think was legitimate.

Ms Moradi spends her days applying for work and trying to find suitable jobs, she believes she has held up her side of the contract but the government has let her down.

She has even spent weeks working for free to gain experience, but feels that some employers have no intention of hiring workers after making them work free "probation" periods.

"The problem is a lot of places want you to have some sort of training but it's hard to get training if you can't get into a job."

"I've been in and out of a few jobs, it is hard to find the right thing, I am actively seeking work - I'm young and live in London it's expensive to get around, I need the money."

Claimants are not obliged to sign up to the new site which allows jobseeker staff to monitor their activity and ensure they are applying for jobs. Despite this, many jobseekers say they were told to sign up to the site when they visited the jobcentre and were not aware that they could refuse.

Jemma Beggs explained she was devastated when she learned her details had been compromised this week as she has always maintained a high level of security online.

She explained she was told to sign up to the site at her jobcentre and was keen to find work so did not ask any questions.

“I look at all the jobsites, agencies and shop websites to try find work every week,” she stated.

“When I went to sign on I was told by the adviser about the new jobs website, I was told they would keep track of my searches and they didn’t mention if it was an option. Next time I got there they said they’ll log in to see what I had searched for, I didn’t mind as I really wanted some work.”

Fears about the new website first surfaced on claimant activist Johnny Void’s blog, where he claimed the new site could be a “scammer’s paradise”.

Within days of the new website going live a spoof ad for a “Target Elimination Specialist” was posted seeking applicants with James Bond-like skills.

More worryingly bogus jobs have begun to appear requesting CVs, contact details and passport pictures to accounts based as far afield as Thailand. A number of unusual ads seeking a “gay princess” have repeatedly appeared and stayed live for a number of days.

In a statement, the Department of Work and Pensions said:

“The site clearly advises jobseekers not to give out personal details like bank accounts or National Insurance numbers until a job offer’s been made. Anybody seeking to acquire personal data by publishing fake job adverts should be aware this is potentially an attempt to commit fraud and that is a criminal offence.

“The security of a claimant’s data is of the utmost importance to us and we have a number of checks in place when employers register to use the site. Sadly, there will always be a small number of cases where people seek to get around these checks. If someone is being asked for personal information or details beyond their CV we would recommend they alert Jobcentre Plus immediately.”

Early warning

In June 2011 Channel 4 News revealed that job centres were offering fraudulent vacancies where applicants were scamming eBay users out of thousands of pounds.

Anne Begg MP, then chair of the Commons Work and Pensions Select Committee, told Channel 4 News at the time: “I hope that Jobcentre Plus have a look again at the checks that they have with regard to the jobs they advertise.

“They have obligations under the law to make sure that the jobs are bona fide jobs with proper employers.”