HR management portal my rocket.co on Wednesday saw a data breach of 260GB that exposed personal sensitive information of employees, according to a report by Cybernews.
The company provides end-to-end recruitment solutions and HR services to companies in India.
Twitter says no evidence new user data leaks were obtained via a system bug
The data includes sensitive and personally identifiable information like name, phone number, bank details, parents’ names, date of birth, salary, payslip, tax information, and even photocopies of personal documents like a driving license and voter ID. It is estimated to have affected nearly 2,000 employees and almost nine million job candidates.
Researchers warn that the data might help threat actors craft targeted campaigns, assist in forgery and identity theft, and trick companies into making payments. The data, which includes 435,000 payslips, 300 tax filings, 3,800 insurance payment documents, and 21,000 salary sheets belonging to various companies using the platform, was leaked due to a misconfiguration of a newly created Kibana instance which has been fixed now.
Data of around nine million job candidates including insecurely hashed emails, phone numbers, names, home addresses, and automatically generated resumes were also part of the leak.
Researchers suggest users contact government branches responsible for issuing documents and ask for the documents to be invalidated and apply for fresh documentation, monitor their bank account activities, and either change their phone numbers or take additional steps to secure leaked information.
Users are also advised to take extra care when receiving messages, especially those containing leaked information, as it could be used to launch phishing attacks.