Seek apologises for 'internal technical issue' that exposed user details

But it has no intention of reporting the issue as a notifiable data breach to the Office of Australian Information Commissioner.
Written by Aimee Chanthadavong, Contributor

Job search engine Seek confirmed while it suffered an "internal technical issue" on Monday, which resulted in the exposure of other candidate details when they were logged into their Seek Profiles, it does not view the incident as a notifiable data breach and will not be reporting it to the Office of Australian Information Commissioner (OAIC).

"We identified an internal technical issue that occurred during a 23-minute period on Monday 10 August 2020," the company told ZDNet.  

"During that time period, due to a cache error, incorrect information such as career history and education was able to be viewed across profiles logged in at that time."

The data breach was highlighted in a Reddit thread when one user posted how they could view other users' profiles while logged into their own account. 

Seek however, assured that no names, contact details, or resumes of candidates in Seek profiles were impacted.

The error impacted fewer than 2,000 Seek profiles, the company said, adding 206 job applications that were being submitted during the period were also affected.

Need to disclose a breach? Read this: Notifiable Data Breaches scheme: Getting ready to disclose a data breach in Australia    

"This involved incorrect details relating to the most recent role a candidate held being included within their job application. Again, this did not include information from the name, contact details or email address fields, nor did it impact any resumes sent as part of job applications," Seek said.

Seek said the "technical issue" was identified and corrected quickly, and all affected candidates and hirers have since been contacted.

"We sincerely apologise for any inconvenience caused," the company stated.

Given a "very limited" amount of information from candidate profiles were exposed, the job search engine said it will not be reporting the incident to the OAIC. 

"Given that this incident involved a very limited amount of information from candidate profiles being inadvertently shown to other candidates, who happened to be logged into the website during the brief period of time during which this occurred, the incident is not a notifiable data breach and therefore one that did not require reporting to the OAIC," Seek told ZDNet. 

"Notwithstanding this, Seek takes our candidates' s privacy seriously and has contacted all candidates affected by this incident as well as conducted significant due diligence to determine the cause and impact as well as remedial/preventive step to be taken."

Under the Notifiable Data Breaches scheme, agencies and organisations in Australia that are covered by the Privacy Act are required to notify individuals whose personal information is involved in a data breach that is likely to result in "serious harm" as soon as practicable after becoming aware of a breach.

Last month, the OAIC revealed the number of reported data breaches in Australia for the 2019-20 financial year totalled 1,050.

For the six months spanning January to June 2020, 518 breaches were notified under the Notifiable Data Breaches (NDB) scheme, down 3% from the 532 reported in July to December 2019.

Data breaches resulting from human error was the case for 176 breaches from January through June, with personal information sent to the wrong recipient via email accounting for 68 of those cases. In two cases, a fax with personal information was sent to the wrong recipient.

There was a loss of paperwork or storage device on 14 of the reported occasions.

Related Coverage

Editorial standards