Australian real estate network First National released a statement following reports last week that information it held on job applicants had been leaked online.
In the statement, First National explained that a recruitment agency it uses, Sales Inventory Profile, was responsible for the breach.
"First National immediately responded through every appropriate channel to ensure that its network had not breached or participated in any notifiable data breach," the organisation wrote, noting this included completing its due diligence, such as reaching out to the Office of the Australian Information Commissioner (OAIC).
Sales Inventory Profile, founded by Maya Saric in 1995, describes its product as the "world's first sales staff pre-selection software that allows you to identify which candidates can sell before the interview with 90 percent accuracy".
First National is not the only customer of the recruitment software firm, with its website showing Starr Partners, Sophos, and Professionals Real Estate Group are also on its books.
"As this breach is not within First National's responsibility, we, like all networks with the real estate industry are dependent upon the Sales Inventory Profile organisation complying with the necessary security arrangements," First National network chief executive Ray Ellis said.
"We are working with our affected offices, and more importantly, any applicants that have been affected".
The information leak was first highlighted by Gareth Llewellyn, who works in information security for Brass Horn Communications, after he tweeted last week about what he found online.
Initially, Llewellyn found an indexed S3 bucket that contained over 6,000 CVs and cover letters of individuals applying for a job within the real estate industry.
The leaked information included the full names, addresses, phone numbers, dates of birth, and other personal information -- as many applicants list their education and previous employment information on resumes.
Updating his findings, Llewellyn explained that salesinventoryprofile.com requires individuals to answer over 300 psychometric questions and then upload a CV.
It is the second data breach from an Australian recruitment company since the country's Notafiable Data Breaches (NDB) scheme came into effect in February last year.
HR firm PageUp confirmed in June that some data held on its clients may be at risk after falling victim to a malware attack.
The potentially accessed information included employee contact details, such as names, email addresses, street addresses, and telephone numbers, as well as employment information, such as employment status, company, and job title.
PageUp said if the application was submitted for a reference check, additional details may have also been breached, such as the applicant's technical skills, special skills, team size, length of tenure with company, reason for leaving that position, and the length of relationship between the applicant and reference.
According to Sydney-based law firm Centennial Lawyers, which announced it was considering launching a class action law suit against PageUp, companies that may have suffered at the hands of the malware attack include Wesfarmers-owned Coles, Target, Kmart, and Officeworks; the National Australia Bank (NAB); Telstra; the Reserve Bank of Australia; Australia Post; Medibank; the ABC; the Australian Red Cross; and the University of Tasmania.
- First National 'dealing with authorities' after reported information leak
- Emergency Warning Network confirms breach
- Malware hits HR software firm PageUp with possible data compromise
- Information on thousands of clients accessed in Family Planning NSW breach
- Eight reasons more CEOs will be fired over cybersecurity breaches (TechRepublic)
- 5 ways to build your company's defense against a data breach before it happens (TechRepublic)
- Australian Information Commissioner commends Red Cross for data breach response
- Phishing spikes as private health continues to be most breached sector in Australia
- Department of Social Services says it has contained data breach 'vulnerability'
- Australia's Facebook investigation expected to take at least 8 months