​Over 780k email addresses reportedly exposed in Capgemini leak of Michael Page data

Names, email addresses, and other personal information belonging to customers of the global recruitment firm has been leaked online.
Written by Asha Barbaschow, Contributor

Several gigabytes of data belonging to global recruitment firm Michael Page has reportedly been leaked, containing information such as names, email addresses, cover letters, and job history of the firm's employment candidates.

Revealed in a blog post by security researcher Troy Hunt, the leaked MySQL data dump exceeds 30GB and contains over 780,000 unique email addresses, with Hunt confirming there was "plenty" of data relating to candidates.


One of many tables included in the leaked dataset.

Image: Troy Hunt

It is believed the leak came from multinational consulting and outsourcing firm Capgemini, but it is unsure if the information was exposed intentionally.

It is also understood that customers of Michael Page received apologetic emails from the organisation that explained there had been unauthorised third party access to its system, and mentioned that the company was working with Capgemini to "fix" the problem.

In a statement, Michael Page said Capgemini was alerted to the data leak on October 31, and the records of 711,000 candidates from the UK, China, and the Netherlands were accessed.

"Due to the nature of the data, there is limited risk of fraudulent activity for those affected. We can also confirm that no other data has been compromised," Michael Page said.

"We requested that the third-party destroys all copies of the data and they have confirmed that they have already done so."

Michael Page confirmed the data contained surnames, email, phone number, location, job sector and type information, "encrypted" password, current job for applicants from LinkedIn, and any covering letter.

Last month, Hunt exposed the Australian Red Cross data leak that saw a 1.74GB MySQL database backup containing 1.3 million rows and 647 different tables publicly available.

At the time, Hunt explained that the data came from an online donor application form that contains details including name, gender, address, email, phone number, date of birth, country of birth, blood type, and other donation-related data, as well as appointments they made.

Hunt said he was tipped off about the Michael Page data leak by the same individual that told him of the Red Cross leak, who sent Hunt a file indicating it was sourced from the UK as proof.

"It was a 362Mb compressed file which extracted out to 4.55GB. Assuming a similar compression ratio, the files in the directory listing above would total well over 30GB of raw data which is a very large set of data to leak publicly," Hunt wrote.

He also said that the Michael Page incident resembled that of the Red Cross, and noted that it's the same story in terms of discovery: An underlying risk on the server end, publicly exposed website, directory listing enabled, and SQL dump files exposed.

Updated at 4:28 AEDT, November 11, 2016: Added statement from Michael Page.

Editorial standards