How do you deal with a cyberattack? The process and our lessons learned.

A big sorry from us to you!

3
 min read |  
10/11/2021
 |  
News

You hope it never happens to you. A cyberattack. And yet it did in late October. Our recruitment system Homerun fell victim to an attack that used ransomware. In their digital vault was all the data of job applicants. Of all Homerun customers, large and smaller organizations. So did ours. We therefore say, "A big sorry from us to you!"

Based on the Golden Path principle and our core values, we want to be transparent about our successes and our failures. Just as we communicate this to our customers during workshops and implementations. Our starting point is that we are never 100% safe, but we do know from the Golden Path principles what to do when something goes wrong. We also have a process for that and everyone takes responsibility for it.

The suffering called a cyberattack

We may say a nightmare. Of course, as an IT organization, you don't want to come into contact with a cyberattack at all. You have your processes and security in order. At least you think you do. You probably use external suppliers and how long has it been since you did an internal check on your processes, business rules and data management?

Homerun announced yesterday via RTLnews that a criminal was able to access hundreds of thousands of resumes after hacking the job application platform. You can read more about it here. Two weeks ago, a hacker gained access to Homerun's database. And possibly to our applicants we were told.

Homerunceo Willem van Roosmalen tells RTL News, "These are difficult choices, but we didn't want to run any risk that the data would be published anywhere. The interests of our clients and their candidates are paramount. "The Personal Data Authority (AP) has been notified, vulnerabilities in the server have been fixed, systems updated and installed, and together with Northwave, Homerun is currently working hard on further communication.

The leakage of where you applied and how can certainly have a negative impact, for example, with your current colleagues, employer or on your career. We are all aware of that and that is why no one has been idle. And neither have we. Also at TeamValue we have done and continue to do a number of checks to keep your personal data safe.

Monitoring the data security process

A GDPR Data Processing Agreement. We have those with outside vendors. Only, for this one, we put our own hand in our pockets, because we relied too much on the vendor that the retention policies we activated were automatically applied. Some candidates should have already been removed from the system. Therefore, also that big sorry from us to you. After October 29 it was announced that a data breach had occurred, we too immediately reported the matter to the Personal Data Authority. Because organizations that use Homerun are obliged to inform (former) applicants about the hack, but also because it is our moral duty and we feel responsible for the security of your data, we inform you about the consequences this might have for you.

The data that might have been captured from candidates? Name, email, phone number, date of application and date of follow-up appointments, vacancy applied for and conclusion of interviews. Action required, then! What have we done so far?

  • After reporting Homerun, we sparred with a fellow Homerun user from the region, ConnectingTheDots, and determined to take action
  • Right after that, over Friday night dinner, we determined the impact and looked at what short-term actions we had to do. In this we applied the 4-eye principle ourselves
  • We reported to the Personal Data Authority
  • We have changed all passwords as a precaution
  • Created a track record of actions according to our own monitoring and management system at Bizure‍.
  • We asked Homerun for a report detailing what was (potentially) covered by the data breach
  • Immediately clean up our file with lagging data of (former) applicants
  • All contacts who were in our system before Oct. 26 (the time of cyberattack) received a message from us

We call this teamwork from both management, HR, marketing and our CTO.

The importance of internal audits

This just goes to show how important it is to have your internal audits in order. For this case, that specifically involves keeping the storage of personal data to a minimum. How?

  • We haven't asked for a resume since we've been using Homerun. We're working on data minimization with this, but also because we believe in character for ability so we're just going to have a personal conversation with you
  • Only HR responsibilities within our company have access to the recruitment system
  • Homerun is a secure platform, only we relied too much on security and did not do enough audits on it.
  • Interview reports in our own systems, appointments in outlook, and yet resumes being emailed. These are detected and removed from the mailbox by our people after procedures are completed.
  • Based on this attack, we have increased our frequency. Instead of an annual audit, we now do a quarterly internal audit that includes external suppliers.

We say A big sorry to those who have been notified by us and we hope everyone learns from this case and takes measures. Because even if you have most of it in order, you can still fall victim to a cyberattack, and it involves personal data.

Still have a question? If so, please contact Xander Kuiper at [email protected]

Download our cheat sheet BizDevOps

We combine data and foresight with intuition and lasting behavior change. How. We wrote out the first steps for you in our BizDevOps cheat sheet. Download it now for free and start your digital transformation today.

5
 min read |  
19/7/2024
Team huddle: A weekly moment for connection and effectiveness in your team
In the digital age where technology drives the way we work, collaboration is becoming increasingly challenging. Teams are scattered across different locations and working on a variety of projects, so connectedness can quickly be lost. How can we ensure that team members stay engaged despite this distance?
Business critical applications
3
 min read |  
19/7/2024
Back to the 80's! - Recap Azure & AI Lowlands
June 27 was the day: the Azure & AI Lowlands event! With the entire Cloud team we traveled to this event, completely in '80s style. Think neon colors, retro games, iconic 80s vehicles and of course a lot of tech talks on Azure and AI.
Our team members
4
 min read |  
5/7/2024
The Role of Agile Coach - In conversation with Gert-Jan
Meet Gert-Jan! Agile Coach at TeamValue. Scrum working is totally his thing. And he likes to help his colleagues with this. Curious about working at TeamValue? Then read on quickly.
More information about this blog? Get in touch with the author(s).
Xander Kuiper
Sign up for the newsletter!
SIGN UP NOW
Background

Join our team!

TeamValue is a young and fast growing company with a solid foundation. We are looking for people who have IT skills and enjoy giving workshops. Searching together for the best solution for a customer. That is what we are all about!

Azure Solution Developer

A very dynamic role, in which more than just technical skills are required! You are that Fullstack Software Developer who knows how to build business-critical applications. All your solutions must be rolled out 100% automatically.

Full-time
Zwolle

Cloud Engineer

You are the Cloud Engineer who understands the old world, has a lot of experience in it and secretly wants nothing more than to enter the new world of Modern Service Management and the public cloud. Do you have scripting skills, do you stand for proactive management and are you 'on' when it comes to solving (im)possible problems? The team can't wait to meet you.

Full-time
Zwolle

Business Intelligence Consultant

You have guts! Because you dare to be critical towards our customers. You really help the client one step further. You think with us, ask questions and respond. Because TeamValue goes for the best result.

Full-time
Zwolle