Company name and location: FastTrack Reflex Recruitment (now part of Team Resourcing Ltd.), based in the United Kingdom.
Size: 5 GB of data leaked, with 21,000 exposed files.
Data Storage Format: AWS S3 Bucket.
Countries Affected:Primarily affected UK citizens, though some people were from Europe, Western Asia, and the US.
The Website Planet research team discovered a misconfigured bucket owned by the company formerly known as FastTrack Reflex (now named TeamBMS as part of TeamResourcing), exposing CVs containing the personal information of thousands of job applicants. Attached to numerous CVs were the personal IDs of applicants, including passports, citizen ID cards, driver’s licenses, and skilled worker IDs.
Customer Data Leaked
Several document formats were found amongst the files on the database, such as ‘.pdf’ and ‘.doc.’ The CVs that were leaked in this breach contained numerous examples of directly and indirectly identifiable applicant PII.
Examples of directly identifiable PII on the CVs include:
- Full names
- Email addresses
- Mobile phone numbers
- Home addresses
- Social network URLs for some applicants (sites like Linkedin, Facebook, and Twitter)
Examples of indirectly identifiable PII could also be found on the leaked CVs, such as:
- Educational/professional information
- Personal hobbies/interests
Personal IDs that were attached to many of the CVs contained other samples of applicant PII. Details that could not be found on many of the original CVs alone include:
- Dates of birth
- Passport numbers
- Applicant photos
FastTrack stored the data of applicants on an AWS S3 Bucket, a public cloud storage resource available for hire from Amazon Web Services. Though, the configuration of the server is not the responsibility of Amazon.
21,000 client files (including duplicates), equating to 5GB of data, were left unprotected on FastTrack’s bucket. The files belong to people whom FastTrack Reflex Recruitment has been connecting with brands and organizations for work across the United Kingdom.
The leaked sensitive customer data could be used by hackers to conduct a wide range of criminal activities. Examples of the leaked CVs and personal IDs can be seen below.
The most recent files we could see were from February 2020, and after an attempt to apply for a job through FastTrack’s website, no new records appeared on the server. Given FastTrack’s recent merger, it is not thought that this server was live and regularly updated at the time of discovery.
Tens of thousands of people could be affected by this. There’s a vast number of CVs and IDs stored on the database, and even if every applicant was to upload one CV and one ID, there would be more than ten thousand people affected. We do not know the exact ratio of CVs to IDs, though more CVs are thought to be stored on the database than IDs. The information of other contacts (such as professional references) may also be exposed.
FastTrack primarily works alongside companies located within the UK, and several foreign nationals are implicated in this breach. That being said, these nationals are likely UK residents, and we are not aware of any international business conducted by FastTrack Reflex.
As a result of this exposure, FastTrack could receive legislative action from GDPR and the UK’s Data Protection Act 2018.
Who was affected
FastTrack Reflex is a recruitment firm that specializes in the Building Management Systems (BMS) sector. FastTrack Reflex Recruitment, which is now known as ‘TeamBMS,’ merged with sister company ‘TeamSales’ in late January 2021. Owned by the Empresaria Group PLC, the merger goes by the name of TeamResourcing, with ‘TeamBMS’ as one of its divisions.
FastTrack recruitment is a business-to-business company that has procured BMS talent for huge projects across the United Kingdom. FastTrack (or TeamBMS) primarily collaborates with UK citizens, and we do not know if the company operates at an international level. The records of European, West Asian, and American nationals have all been found on FastTrack’s server, though it’s likely that many of these foreign citizens reside within the UK.
CVs have been identified from this assemblage of nationalities. Some of them contained passports, driving licenses, and skilled worker cards. Personal IDs that were issued in various different countries, and of several different types, were found on FastTrack’s database.
Who Was Leaking the Data?
FastTrack Reflex Recruitment, now TeamBMS, has more than 20 years of experience recruiting in the Building Management Systems sector.
FastTrack facilitates talent for the design, commissioning, and service of Building Management Systems. FastTrack is based in West Sussex, in the United Kingdom, and, among others, world-renowned building projects in the UK have used FastTrack.
FastTrack has provided recruitment for skyscrapers like 22Bishopsgate, 20 Fenchurch Street, and The Shard, not to mention stadia (Wembley and the Olympic Stadium), travel terminals (Heathrow Terminal 5 and Crossrail), and other private projects (White City, AstraZeneca, and Battersea Power Station).
This data leak is likely the result of a human error on the part of FastTrack Reflex IT team/services provider. Amazon is not responsible for the configuration of FastTrack’s database and is in no way culpable for this data exposure.
Impact on Applicants
While FastTrack’s AWS S3 Bucket has been left unprotected and unsecured, we cannot know if unethical hackers have found the open bucket, and downloaded, leaked, or distributed any of FastTrack’s clients’ data.
If you are at risk of this exposure, however, please be aware that hackers could have accessed the server. Hackers can use your personal data to conduct several different criminal activities.
Address fraud, Identity Theft
- Identity Theft and Fraud – Names, addresses, emails, phone numbers, and personal details like one’s educational & professional information, can be used by hackers to assume the identity of the victim in question – gaining access to accounts, building trust with associates of the victim, or targeting these victims with fraudulent attacks across multiple platforms. For example, with a name and address, a hacker could change your postal address to a location of their choice, intercepting bank receipts and financial mail, and using these details to order cheques and new credit cards from your account.
- Scams, Phishing & Malware – Criminals can contact victims through email or via a phone, establishing trust with the victim’s personal details. On the phone, these criminals are likely to attempt to con money out of victims or find out information that could allow them to conduct other criminal activities. Through email, criminals could convince people to click a link – from which malicious phishing and malware software could be downloaded onto the victim’s device.
- Business Espionage – Other companies could find out about FastTrack’s list of clients, and could attempt to pry them away from FastTrack, or find out more information about how FastTrack conducts its business.
- Theft – Personal information, and in particular home addresses, could be used to target the homes of FastTrack clients with theft or robbery.
Data Privacy Laws
FastTrack’s business is conducted with individuals across the United Kingdom. While we cannot know all of the laws FastTrack may be subject to, there are a few that, conceivably, FastTrack will come under scrutiny from.
For effects against EU citizens, FastTrack has broken GDPR law. GDPR imposes itself wherever the data of EU citizens is mishandled, no matter where in the world that may be. Under GDPR, companies are required to handle data securely, with technical and organizational measures in place. The maximum punishment for breaking GDPR is a fine of around €20 million, or 4% of the company in question’s annual turnover (whichever is higher).
Since leaving the EU, the United Kingdom has retained GDPR law in the form of the Data Protection Act 2018. Under this act, the maximum fine is again, around €20 million, or 4% of a companies annual turnover (whichever is higher). FastTrack has failed to report its breach, and for this reason could face a fine of €10 million, or 2% of its annual turnover.
Loss of Business
This data breach may also damage the reputation of FastTrack, resulting in ‘bad publicity,’ with fewer companies and clients willing to do business with FastTrack.
By failing to properly protect the data of its clients, FastTrack has placed those people at risk of criminal activity. There has been an element of trust broken between FastTrack and its clients, and these clients may look to take their business to other recruitment firms instead.
Competitors of FastTrack could see the leaked list of clients. These competitors could contact FastTrack clients to pry this business away from FastTrack.
FastTrack (now TeamBMS), could be contacted by competitors posing as a client or member of the business. After establishing trust through client information and personal data, hackers could find out more about the business operations of FastTrack.
Status of the Data Breach
All exposed data is accurate and relates to the clients of FastTrack Reflex Recruitment, now known as TeamBMS. All of the records discovered in this exposure belong to real people.
The leak was discovered on December 29th, 2020. After days of research, we found out that the bucket belonged to FasTrack Reflex.
On January 12th and 15th, 2021, we reached out to FastTrack Reflex regarding the exposure, and on March 1st, 2021, we contacted TeamResourcing. After several attempts of reaching the company, Hosting and the UK CERT, we finally received a reply from TeamResourcing on 17th March. The bucket was secured on 23rd March.
Protecting Your Data
If you’re at risk of criminal activity because of this data leak, there are steps you can take to lessen the risk of a successful targeted attack.
First of all, you are well within your rights to request that a company deletes your data. If you do not trust a business with your information, any official request must be honored by the institution in question in accordance with data privacy standards.
To avoid scams, malware, and phishing attacks, it is imperative that individuals stay vigilant when receiving calls from unknown numbers, or receiving emails from accounts that do not seem entirely trustworthy. Do not provide personal information, click a link, or download a file at the request of these parties unless they can definitively prove who they are. Concerned individuals should also regularly monitor their postal address and credit card information, looking out for any confirmation emails of changes to account details.
FastTrack, and anyone else implicated in this breach, should be vigilant when receiving calls from parties claiming to be clients or associates. In which case, businesses must implement strategies to confidently identify these individuals.
It’s crucial that FastTrack, as well as any businesses at-risk of this exposure, implements stringent security measures when storing customer data. Businesses should hire a cybersecurity professional, to be sure that customer data is adequately protected.
How and Why We Report on Data Breaches
We want to help our readers stay safe when using any website or online product.
Unfortunately, most data breaches are never discovered or reported by the companies responsible. So, we decided to do the work and find the vulnerabilities putting people at risk.
We follow the principles of ethical hacking and stay within the law. We only investigate open, unprotected databases that we find randomly, and we never target specific companies.
By reporting these leaks, we hope to make the internet safer for everyone.
What is Website Planet?
Website Planet is the number one resource for web designers, digital marketers, developers, and businesses with an online presence. You’ll find tools and resources for everyone, from beginners to experts — and honesty is our top priority.
We have an experienced team of ethical security research experts who uncover and disclose serious data leaks as part of a free service for the online community at large. This has included a breach in a Indian B2B online packaging marketplace, as well as a breach in a European office supply retailing company leaking private data.