A new government jobs website appears to have significant security flaws, leaving users exposed to scams and identity fraud.
Channel 4 News conducted an investigation into the government’s Universal Jobmatch site and hackers were able to steal information including passwords, national insurance numbers and even passport scans with relative ease.
The new service, which replaced the Jobcentre Plus website on 19 November and is accessed via the gov.uk portal, allows jobcentre staff to monitor the activity of applicants and suggest jobs. But Channel 4 News reports that no security checks are performed on those who advertise positions, enabling cyber-criminals to launch scams posing as employers.
In an investigation by the channel, hackers used “clearly false details” to register and post a fake advert for a cleaning job, which went live on the site without any apparent checks. The hackers were then able to harvest personal details of over 70 jobseekers, with the information able to facilitate activity such as selling data on forums, obtaining prepaid credit cards, stealing funds from PayPal, and taking out payday loans.
In a statement responding to the findings, the Department of Work and Pensions said, "The site clearly advises jobseekers not to give out personal details like bank accounts or National Insurance numbers until a job offer's been made. Anybody seeking to acquire personal data by publishing fake job adverts should be aware this is potentially an attempt to commit fraud and that is a criminal offence.
"The security of a claimant's data is of the utmost importance to us and we have a number of checks in place when employers register to use the site. Sadly, there will always be a small number of cases where people seek to get around these checks. If someone is being asked for personal information or details beyond their CV we would recommend they alert Jobcentre Plus immediately."