Back to Blog Cyber Attacks – Is Your Applicant Data Safe? by Art Papas on October 16th, 2012 On October 11, behemoth executive search firm Korn/Ferry International disclosed that it had been the target of a “criminal security data breach,” according to Staffing Industry Analysts. While Korn/Ferry contends that the databases attacked were not designed to house sensitive information such as credit card and Social Security numbers, the full fallout of this cyber attack is yet to come to light. At this point it’s too early to tell what the criminals will do with this stolen data. The news of Korn/Ferry’s breach is especially concerning since recruiting firms are fantastic targets for cyber criminals. They store massive quantities of contact information, education and work history. This vast trove of deep personal information makes it very compelling for criminals to create highly personalized and targeted phone and internet scams that lure people into giving up bank, credit card and Social Security information. While being contacted by a Nigerian prince might cause giant red flags to pop up, jobseekers place their trust in recruiters and therefore have no reason to suspect foul play – making a breach of this nature all the more damaging. How would you respond if you received the following email? “Hi Sue, this is Bob from Korn/Ferry. I have an offer coming your way from Google. They want to do a background check. Can you give me your Social Security number? Great thanks.” A breach like this carries with it heavy federal and state fines and necessitates strict notification requirements. Do you really want your firm to issue a mea culpa of this magnitude? When information is entrusted to you, how do you explain away what happened? Do you take the honest approach? It would look something like this: Dear Ms. Smith, We regret to inform you that our computer systems were the target of a cyber attack. We can’t be sure of what really happened, because we don’t really know that much about IT security – remember, we’re a recruiting firm, not a bunch of computer geeks. But we’re pretty sure all that extremely personal information you’ve divulged to us over the last few years is now in the hands of cyber criminals who live in a foreign country. They probably have your resume, your email, your home phone, your cell phone, your work phone numbers, your work history and education. Oh, and they definitely know that you told us that your boss is a moronic hack and you deserve his job. Wow, what were you thinking, sharing something that sensitive? You see, our CIO and IT department believes that we should keep all of our IT systems in-house. Despite their age, we believe that the IT security systems that we designed in 1987 are still very much the “State of the Art.” Of course, if there was a way to outsource these systems to people who are experts in IT systems and security, that would be even better. But, as far as we are aware, no such services exist. Man, wouldn’t that be awesome if they did? We recommend you freak out now. If I were in your shoes, I would take a couple of weeks off from work so you can clean up this mess. You should get a new Social Security number, driver’s license, passport, and contact every financial institution with whom you’ve ever conducted business. Hey, on the bright side, you hate your job anyway :). Oh, if you’ve ever used your school mascot or company name in your online passwords, we recommend you flee the country immediately. Lastly, please don’t say anything about this on Facebook or Twitter. That would be super embarrassing. We don’t want the media to find out! The interwebs are a scary, scary place. And, no one is safe from threats because every IT system has vulnerabilities. However, acknowledging those vulnerabilities and making concentrated efforts to protect sensitive data is critical to staying one step ahead of cyber attacks. Bullhorn protects recruiting data for a living. It’s one of our core competencies. We’re the ones waking up in the middle of the night worrying about every little threat so that, God forbid, our customers should never have to write a letter like that or suffer the business damage a data breach will cause. SSAE 16 (Statements on Standards for Attestation Engagements No. 16) provides guidance to independent auditors who issue SOC 1 reports to services organizations. The SSAE 16 SOC1 can be issued as a Type I or Type II report. The Type I report ensures that controls in place at the service organization are designed effectively at a point in time. The Type II report ensures that the controls in place at the service organization are operating effectively over the course of a full period (typically six months or one year). Once a year, an independent company performs a SOC1 Type II audit of the Bullhorn datacenter and underlying controls. The auditors test sample evidence for each of Bullhorn’s controls and procedures (e.g. server upgrades, new code deployment, quarterly updated lists of authorized users) and verify they are operating effectively and working as documented. We are the only provider in the recruiting software space who is SSAE 16 SOC1 Type II compliant. We invest more in security systems and staff than the entire competitive field combined. The Bullhorn datacenter also complies with multiple governmental standards for personal identity compliance, including Massachusetts General Law Chapter 93H and its regulations 201 CMR 17.00, one of the strictest sets of personal identity regulations in the United States. Additionally, Bullhorn complies with the United States-European Union Safe Harbor standards. If your staffing agency values the safety of its data and its business reputation and you’re not already entrusting your applicant data to Bullhorn, it’s time to learn more.