Tonight I got an email from the online recruit arm of Bond Personnel, MyJob.ie, to inform me they recently suffered a security breach and were sending me a precautionary email to change my password. While there are no details as to what information the attackers accessed or how they manage to breach MyJob.ie’s security, there are two interesting points to note;

• MyJob.ie say they were not the primary source of the breach. This leads to the question which of their providers were breached?
• The attackers have already been arrested and a file sent to the DPP.  If this is the case, when did the breach originally occur and why did it take so long to notify those impacted?

The other question that is of interest is what is MyJob.ie’s data retention policy for holding client data? I have not used that website for well over 10 years,  so my data would be well out of date and no longer useful.  Indeed in the Data Protection Commissioner’s report for 2008 he mentions a security breach at jobs.ie and highlights they had retained personal data of clients for “an unnecessarily long period of time”. 

If you have been impacted by this breach I recommend that you

• You change your password for MyJob.ie
• Do not use the same password across different systems.  If you have used the same password on different systems then change them to an individual password on each system.
• Do not respond to any emails that may be phishing emails looking for your personal details

The text of the email is below;

Dear Honan,

I am writing to bring your attention to a recent security breach on the server hosting Myjob.ie. The breach was quickly identified, and the Gardai have apprehended two individuals who are now the subject of a file being compiled for the Director of Public Prosecutions. Although Myjob.ie was not the primary source of the breach, as a precautionary measure we would ask all users to immediately change their password. Furthermore we would ask you to observe best practice in choosing all internet passwords and do not use the same password for more than one internet service. If you do use the same password for multiple services we would strongly urge you to rectify this immediately by logging into those systems and choosing a new password. Also, please note that reputable companies do not request personal details by email, if a company contacts you do not give any personal information until you have established they are legitimate.

• Never give out personal banking information
• Do not share your passwords with anyone
• Do not open email attachments if you are suspicious, especially .exe files.

Please accept our apologies for any inconvenience or distress caused by this precautionary email. Should you wish to contact us please send an email to security@myjob.ie

Yours sincerely,

John Doupe