NJ talent firm exposed thousands of resumes, detailing immigration statuses and security clearances

A New Jersey talent acquisition firm exposed the résumés and personal information of at least 30,000 potential employees by leaving a password-less online database. The database is owned by Voto Consulting, a North Brunswick company that finds jobs in the US primarily for Indian IT professionals. It’s not known exactly how long the database was exposed, but Shodan, a search engine for exposed devices and databases, first indexed it on May 10. The database was discovered by Anand Prakash, a security researcher and founder of PingSafe AI, who provided details of the database to TechCrunch. But because the database was exposed to the Internet without a password, anyone could search the database from a web browser. The database contained candidates’ names, email addresses and resumes, many of which contained detailed employment histories, as well as other personal information such as addresses, phone numbers and dates of birth. In many cases, the resumes also revealed candidates’ immigration status, such as whether they had a visa, work clearances, or citizenship, as well as details of a person’s security clearances required for some US federal government jobs. Although the existence of a security clearance may not necessarily be a secret in and of itself, foreign governments have long sought to exploit and blackmail those with security clearances for intelligence gains. TechCrunch contacted Voto CEO Lynel Fernandes with a link to the exposed database on May 11, but we did not hear back nor did the company immediately secure the database. (A message sent with an open tracker showed that our email was opened multiple times but ignored.) After receiving no response, TechCrunch notified the New Jersey Cyber ​​Security and Communications Integration Cell, a state government agency tasked with sharing cyber security information and reporting incidents, which agreed to notify Vote by email and phone based on exposed data. The database has been offline since Tuesday, more than two weeks later. By the time the database was secured, it had increased more than fivefold in size, listing more than 170,000 entries in total. Read more:


Table of Contents