A Margate charity worker is urging people to check what information can be found about them online after discovering her name, address, phone number, email and entire CV being displayed on google.
Adele Mahan, 46, applied for a job with Your Leisure in 2019 via a job vacancy website. But in March 2020 she read an article about online data and decided to check her own details. This is when she found the CV submitted for the job, and her home and contact details, were being displayed on google.
The mum-of-one said: “I applied for the job but did not get an interview so forgot all about it. Last year I read an article about checking your online presence and decided to check mine.
“Links came up for the usual facebook and Twitter but then there was one with my name, email address, home address, phone number and document. I clicked on the document and it was my whole CV.”
Adele contacted Your Leisure but says the response was unsatisfactory and there has been no aplogy for the leak of her details.
She then filed a complaint with the Information Commissioner’s Office, which deals with information rights, which found data protection obligations had been breached.
Adele said: “This could have happened to someone coming out of an abusive relationship and they could then have been found.
“When I spoke to Your Leisure they referred it to their data person but the reply I got was all very technical. My son works in IT and looked at it. It was saying it was the software, but I really was not happy with that.
“One of the questions I asked was how long the information had been out in the public domain and they couldn’t tell me. I think it had to be at least five months.
“I reported it to the ICO. I never had any contact from Your Leisure with an apology, which was all I wanted. They should have had processes in place to prevent this happening.”
The ICO said: “Your Leisure has not complied with their data protection obligations. This is because they did not securely process Adele Mahan’s personal data.”
Further action required were issued by the ICO. These were to make sure:
Organisational data security is routinely reviewed and updated to ensure your data protection obligations are being met
All staff attend mandatory data protection training that is routinely tested and refreshed
Operational policies are regularly reviewed to ensure that all data processing integrates measures to protect individual data rights by design and default.
Your Leisure says it is appealing the findings of the ICO and stresses that the incident is not related to any membership data but was an isolated incident through a third party website.
A spokesperson said: “Your Leisure has submitted an appeal to the ICO contesting the case officer’s conclusion that the company was responsible for a CV document uploaded via a WordPress-based contact form (the form plugin in question is no longer in use) being indexed by Google and made searchable via the tech giant’s search engine if narrow and specific keywords were used.
“To add, no information transmitted via the form fields was made publicly accessible, only the uploaded document was indexed by Google.
“The issue is in no way linked to Your Leisure’s membership platform which sits on a wholly separate service (the membership management software, which our members will mainly know as the ebooking site which links out from our WordPress websites but is not part of them other than a URL link – these are two completely standalone platforms) and no membership data is stored by WordPress (the yourleisure.uk.com website).
“It must be stressed and made clear that this is a purely WordPress CPanel folder and Google web crawler issue relating to a CV document and nothing else.
“In April 2021, upon discovery of Google’s indexing of a WordPress folder, Your Leisure took immediate steps to ascertain the cause and swiftly took remedial measures supported by expert data protection and ITC advice.
“Google was instructed to remove all record of the document that they had indexed, and the contact form plugin removed (all current WordPress forms running are using a new recommended platform and SMTP service). Your Leisure also immediately updated its policies and no longer accepts CVs via any WordPress-based contact forms. In line with data protection procedures, Your Leisure’s Data Protection Officer submitted their report to the ICO to meet the organisation’s legal obligations.
“Your Leisure was supported in their efforts to address this issue by Data Protection specialist Michael Griffin. Mr. Griffin made clear in his report to the ICO, the breach occurred due to an obscure, and hitherto unknown, function of 3rd-party software to which the Company’s website deployed for the purpose of providing a platform for job applicants to upload their CVs.
“After the investigation, it was concluded that Google’s bots automatically accessed (“crawled”) the CV upload file via the CPanel and put the document in a publicly accessible domain (Google search) which could be returned as a search result if narrow and specific keywords were used.
“Prior to the investigation, there was nothing obviously published on technical websites or data protection-related websites that highlighted the possibility of Google’s web crawlers doing this and it took several experts to piece together what had happened and why.
“Google removed the links from their search engine within their allotted timeframe to complete such actions.
“Your Leisure has submitted an appeal to the ICO and is yet to hear back and this is an ongoing appeal. All members can rest assured as this in no way has anything to do with the membership platform nor any other Your Leisure databases. It is an isolated issue linked to one contact form on one website with the form not in use since April 2021.”
