NJ talent firm exposed thousands of resumes, detailing immigration statuses and security clearances

A New Jersey talent acquisition firm exposed the resumes and personal information of at least 30,000 prospective workers by leaving a database on the internet without a password.

The database belongs to Voto Consulting, a North Brunswick company that finds U.S. jobs largely for Indian IT professionals.

It’s not known exactly how long the database was exposed, but it was first indexed by Shodan, a search engine for exposed devices and databases, on May 10. The database was discovered by Anand Prakash, a security researcher and founder of PingSafe AI, who provided details of the database to TechCrunch.

But because the database was exposed to the internet without a password, it was possible for anyone to search the database from a web browser.

The database contained names, email addresses and candidates’ resumes — many of which contained detailed work histories, as well as other personal information, like home addresses, phone numbers and dates of birth. In many cases, resumes also revealed candidates’ immigration statuses, such as if they had a visa, work authorizations or citizenship, as well as details of a person’s security clearances required for some U.S. federal government jobs. Although the existence of a security clearance may not be necessarily a secret in itself, foreign governments have long sought to exploit and blackmail those with security clearances for intelligence gains.

TechCrunch contacted Voto chief executive Lynel Fernandes with a link to the exposed database on May 11, but we did not hear back nor did the company immediately secure the database. (One message sent with an open tracker showed our email was opened several times but ignored.)

After not hearing back, TechCrunch notified the New Jersey Cybersecurity and Communications Integration Cell, a state government agency tasked with cybersecurity information sharing and incident reporting, which agreed to notify Voto by email and phone about the exposed database.

The database has been offline since Tuesday, more than two weeks later. At the time the database was secured, it had grown in size by more than five-fold, listing more than 170,000 entries in total.

Read more: