Photo Shutterstock. HR emailed eighteen thousand (former) WUR employees on 10 January. The application they used to upload their resume or ID when they started their employment was vulnerable, and not for the first time. The chance the data could be abused is small but present, HR says.
For those unfamiliar with the world of hackers, the term “ethical hacker” may be new. An ethical hacker is a person who enjoys cracking software but does so without evil intent but rather to alert organisations to vulnerabilities in their IT infrastructure. An ethical hacker decided to focus their ‘benign’ efforts on WUR last year in May.
HR Operations director Brigitte Bancken: ‘He uncovered a data leak within our system, in the HR application of the Mendix software (MyHR), which newly recruited employees use to upload documents such as their passport or resume through the “new employee” form. The hacker informed us that our systems could be cracked using a script that was readily available online. He was unable to penetrate our system but could view documents that new employees had uploaded and failed to submit. The information he gained access to was sensitive, such as social security numbers. That raised the alarm as some 1500 individuals were affected. We informed them all. There were no signs of abuse of the information.’
Fix
Although the ethical hacker discovered a breach in the system in May, HR only sent out an email to eighteen thousand (former) employees in January to inform them that a vulnerability had been discovered in the uploading system. HR Privacy Officer Barthe Brinkman: ‘That is correct. The mail, however, was not about the breach in May. We used a so-called fix to secure the breach at the time. We went on to investigate the vulnerabilities and critically reviewed the personal information we requested. We discovered that we don’t require all of the information we ask new employees to submit. The less data you have, the smaller the impact of a data leak on the involved parties. Moreover, we are considering how we can remove data rapidly when they are no longer needed. To be sure, we hired an external professional to test the system in December.’
We can see uploads and downloads, and we have no indication that documents were leaked in May or December
Bancken clarifies that the test was conducted using a so-called PEN test (pen stands for penetration, ed.). ‘This was one of the follow-up steps we had discussed in May. IT security companies have hackers available that you can hire to test your system. He can develop a script to gain entry into our system. Much to our frustration, he succeeded. The hacker discovered that when a new employee uploaded a document, he was able to see and gain access to the document for a short while until said document was secure within our WUR system. There is still a vulnerability.’
Not to be ruled out
HR reported their findings to the Personal Data Authorities, and WUR’s IT security team conducted an analysis. ‘They did not discover any abuse but cannot rule it out. In such cases, we are required to inform those involved, and that is why we sent an email message to 18 thousand (former) employees who used the MyHR Mendix form between 2018 and 2024.’
Brinkman: ‘We can see uploads and downloads, and we have no indication that documents were leaked in May or December. We saw no irregularities such as sudden downloads of 100 documents.’
HR’s Operational Program Board has decided to stop using this Mendix application. What now? Bancken: ‘The struggle remains. In this day and age, we cannot ask people to report to the front desk to have their documents scanned. We have been using a workaround since December, but that is a temporary measure. A structural safe solution is our highest priority.’
