French Job-Seeking Platform Exposes 14 Million Records Online

Last updated November 26, 2019
Written by:
Bill Toulas
Bill Toulas
Cybersecurity Journalist

As discovered by security researchers Noam Rotem and Ran Locar, the French job-seeking platform "Groupe Phosphore" has left two databases accessible online without setting up a password. The incident exposes small businesses in France and Belgium, as well as many thousands of individuals. The two databases are named "Henrri" and "Rivalis", which concern the company’s invoicing platform and professional support and consultancy network respectively. This means that each database contains data from clients who use these two software solutions, and the implications of this are major.

The researchers discovered the two databases on October 7, 2019, but the company responded to their repeated messages more than a month later. The date when the Groupe Phosphore team finally secured the databases was November 20, 2019, so the data remained accessible for at least 40 days. The databases contained a total of 14 million records and had a combined size of about 17.2 GB. The researchers analyzed this data and found out the details of 27,286 small businesses and 339,787 private individuals. As for what kind of data was exposed, it was mainly the following:

Business Data:

Henrri

Source: VPN Mentor

Individuals Data:

Rivalis-Candidate

Source: VPN Mentor

As it becomes obvious from the above, the impact is both wide and deep, as the exposed people and businesses will now face a severe risk of being targeted by hackers and scammers. It also raises many concerns about the general security practices that are followed by Groupe Phosphore, who owns another 15 firms and market a large number of business-grade software products.

Finally, considering the amount of data and their importance, the possibility of a class lawsuit against them cannot be ruled out. The businesses will certainly seek explanations and compensation, but something similar will be a lot harder to do for the exposed job applicants. If you have submitted a job application through Rivalis, beware of financial and identity fraud efforts against you. In any case, you can even contact the French data protection authority and report the incident to them. If enough people do it, the authorities will investigate the occurrence.

Do you have something to comment on the above? Share your thoughts with us in the section down below, or join the discussion on our socials, on Facebook and Twitter.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: