Remember the job ad for poor man’s James Bond?
I suggested in the title that the government’s jobsearch site had been hacked, and several people proposed other solutions: that the job was test data that had accidentally become public did seem the most plausible. After all, who would allow job ads to be posted that hadn’t been reviewed by someone responsible for making sure they were valid jobs, posted by a proper employer?
The Department of Works and Pensions would, that’s who.
The Universal Jobmatch website was launched on 19 Nov and is accessed via the government portal gov.uk. It replaces the Jobcentre Plus website, which was exposed by Channel 4 News as being vulnerable to fraudsters in 2011. At the time the Department of Work and Pensions told us each advert would now be “checked for legal compliance” before going live.
The new site allows jobcentre staff to monitor the activity of jobseekers, checking what jobs have been applied for and suggesting new jobs. But there are no security checks performed on the people who post jobs, so our investigation was able to register as an employer in minutes.
This is exactly, in fact, what we might expect from Iain Duncan Smith’s DWP: the belief that while the unemployed are scroungers and shirkers and need constant monitoring to be sure that they really are looking for work, there’s no need to worry about their security details.
As Channel 4’s investigation reported last week: the new Universal Jobmatch site has become a scammer’s paradise. Anyone who wants to harvest personal details can register as an employer, post tempting job ads, and await the personal details that will arrive. Specifying that the applicant must prove they have a legal right to work in the UK, will even get the scammer passport details or driving licence details:
A fake ad posted by a group of hackers seeking to draw attention to the security flaws was able to harvest the personal details of over 70 jobseekers.
Using clearly false details the hackers registered as an employer and gained access to the site posting a fake ad for a cleaning job which went live seemingly unvetted.
They were then able to quickly harvest personal information including passwords and passport and driving licence scans that can be used to for identity fraud or allow them to illegally access email and even online bank accounts of applicants.
But they must have some security in place, right? Well, yes, they do. Sort of. The DWP say:
“The site clearly advises jobseekers not to give out personal details like bank accounts or National Insurance numbers until a job offer’s been made.
“Anybody seeking to acquire personal data by publishing fake job adverts should be aware this is potentially an attempt to commit fraud and that is a criminal offence.”
So, the DWP’s online security is the law: it’s illegal to post a fake job ad, make a fake job offer, and thus obtain personal data, and that’s obviously going to prevent people from doing it.
Do you feel more secure now?
DWP also claimed:
“We have a number of checks in place when employers register to use the site. Sadly, there will always be a small number of cases where people seek to get around these checks.”
But as the Guardian reported yesterday, these checks must be very easy to get around: ads have been posted for “internet babes”, for the mafia, and some possibly-not-fraudulent but certainly dubious ads for jobs that may not really exist:
One so-called apparent employer who listed a sales assistant job with pay ranging between £17,000-£25,000 while admitting the company was not a registered business but would apply once it took on employees.
The employer would not say whether the business was based in the UK and an address for the company led to a mailbox service in east London.
PCS has expressed concern that Job Centre staff may be told by their management to instruct jobseekers (falsely) that registering with Universal Jobmatch is mandatory – the DWP’s goal is to have 80% of jobseekers using it by August 2013.
[20th Dec To ensure this happens, since apparently there has been huge positive feedback from jobseekers but this does not actually extend to wanting to put their CVs and contact info on a site so easily hacked, the DWP have decided to make use of their Universal Fraud Site mandatory from January.]
At the recent meeting, DWP management confirmed that the use of Universal Jobmatch is non-mandatory. On the security issues, management acknowledged that there had been ‘teething issues’ but that these were being resolved. PCS has put pressure on management to ensure a human rather than an automated IT check for the placing of vacancies by employers, to avoid the embarrassment of the bogus MI6 vacancy being repeated.
PCS believes that it is essential for the future of the new service that jobseekers can have full confidence in the security of the system and trust and respect their employment adviser. It is therefore extremely damaging that some managers are putting pressure on jobcentre staff to tell jobseekers that they must register or grant their adviser access to their Universal Jobmatch account. This is clearly not currently the position and to suggest that it is would amount to official misdirection. PCS is now seeking to establish exactly what the legal position is and in the meantime strongly advises members not to put themselves in the position of misinforming the public about Universal Jobmatch.
If you are a job seeker who is being instructed that you must sign up with Universal Jobmatch, there’s a suggested draft of a letter to show your employment adviser. It appears that there’s absolutely no security that any employer registered on the DWP’s job website actually exists, or that any job being offered is real.
The James Bond jobs aren’t the problem – they’re funny, but they just prove that the site isn’t secure. The jobs posted by scammers that are meant to look real are a huge problem. And for what it’s worth, Iain Duncan Smith should be aware that one likely result of scammers getting personal details such as national insurance number is a real increase in benefit fraud.
Other reading: Welfare is the most important infrastructure we have.
Merry Christmas, everybody.