Based on the Golden Path principle and our core values, we want to be transparent about our successes and our failures. Just as we communicate this to our customers during workshops and implementations. Our starting point is that we are never 100% safe, but we do know from the Golden Path principles what to do when something goes wrong. We also have a process for that and everyone takes responsibility for it.
The suffering called a cyberattack
We may say a nightmare. Of course, as an IT organization, you don't want to come into contact with a cyberattack at all. You have your processes and security in order. At least you think you do. You probably use external suppliers and how long has it been since you did an internal check on your processes, business rules and data management?
Homerun announced yesterday via RTLnews that a criminal was able to access hundreds of thousands of resumes after hacking the job application platform. You can read more about it here. Two weeks ago, a hacker gained access to Homerun's database. And possibly to our applicants we were told.
Homerunceo Willem van Roosmalen tells RTL News, "These are difficult choices, but we didn't want to run any risk that the data would be published anywhere. The interests of our clients and their candidates are paramount. "The Personal Data Authority (AP) has been notified, vulnerabilities in the server have been fixed, systems updated and installed, and together with Northwave, Homerun is currently working hard on further communication.
The leakage of where you applied and how can certainly have a negative impact, for example, with your current colleagues, employer or on your career. We are all aware of that and that is why no one has been idle. And neither have we. Also at TeamValue we have done and continue to do a number of checks to keep your personal data safe.
Monitoring the data security process
A GDPR Data Processing Agreement. We have those with outside vendors. Only, for this one, we put our own hand in our pockets, because we relied too much on the vendor that the retention policies we activated were automatically applied. Some candidates should have already been removed from the system. Therefore, also that big sorry from us to you. After October 29 it was announced that a data breach had occurred, we too immediately reported the matter to the Personal Data Authority. Because organizations that use Homerun are obliged to inform (former) applicants about the hack, but also because it is our moral duty and we feel responsible for the security of your data, we inform you about the consequences this might have for you.
The data that might have been captured from candidates? Name, email, phone number, date of application and date of follow-up appointments, vacancy applied for and conclusion of interviews. Action required, then! What have we done so far?
- After reporting Homerun, we sparred with a fellow Homerun user from the region, ConnectingTheDots, and determined to take action
- Right after that, over Friday night dinner, we determined the impact and looked at what short-term actions we had to do. In this we applied the 4-eye principle ourselves
- We reported to the Personal Data Authority
- We have changed all passwords as a precaution
- Created a track record of actions according to our own monitoring and management system at Bizure.
- We asked Homerun for a report detailing what was (potentially) covered by the data breach
- Immediately clean up our file with lagging data of (former) applicants
- All contacts who were in our system before Oct. 26 (the time of cyberattack) received a message from us
We call this teamwork from both management, HR, marketing and our CTO.
The importance of internal audits
This just goes to show how important it is to have your internal audits in order. For this case, that specifically involves keeping the storage of personal data to a minimum. How?
- We haven't asked for a resume since we've been using Homerun. We're working on data minimization with this, but also because we believe in character for ability so we're just going to have a personal conversation with you
- Only HR responsibilities within our company have access to the recruitment system
- Homerun is a secure platform, only we relied too much on security and did not do enough audits on it.
- Interview reports in our own systems, appointments in outlook, and yet resumes being emailed. These are detected and removed from the mailbox by our people after procedures are completed.
- Based on this attack, we have increased our frequency. Instead of an annual audit, we now do a quarterly internal audit that includes external suppliers.
We say A big sorry to those who have been notified by us and we hope everyone learns from this case and takes measures. Because even if you have most of it in order, you can still fall victim to a cyberattack, and it involves personal data.
Still have a question? If so, please contact Xander Kuiper at [email protected]
A little chat?
Do you have a data, cloud or IT transformation challenge? We'd love to think with you. Please contact us without obligation.