Mumbai/New Delhi: The ever-bulging employee databases of companies are increasingly getting leaked into the internet for want of adequate security measures and, in some cases, for want of investment into available cybersecurity technologies.
For instance, On 12 November, Amazon Inc. confirmed a 2023 employee data leak through a third-party vendor, bearing PIIs (personally identifiable information) of more than 100 million individuals from 2,000-plus companies—the biggest reported incident of its nature. Then, in October this year, US telecom firm Cisco faced a significant data leak of classified internal documents.
In India, the problem is getting more acute as companies attempt to increase their diversity quotient, as hiring or even retrenchments increase in a volatile economic environment, and as companies seek to roll out increasingly customised benefit plans for key employees.
Rajesh Padmanabhan, CEO of Talavvy, a Mumbai-based business transformation lab, said leaked employee databases can put the entire enterprise at risk, and breach of privacy means violation of corporate governance.
“For instance, if the list of diversity, equity and inclusion (DEI) details are leaked externally, then one can access information of the employees, their special abilities and sell them to insurance etc. without their consent,” he said.
“Firms are now outsourcing their payroll processes, insurance, HR services, and there is no way to keep track of whether those firms are keeping data safe,” said Dhiraj Gupta, chief technology officer of MFilterIt, a fraud detection and prevention firm.
Increase in data breaches
Noting that there has been a 20% increase in data breaches from corporates since 2022, including employee data, Gupta said that “employees have little knowledge where their database is stored and with whom”.
IBM’s global ‘Cost of a data breach, 2024’ report said that employee PIIs were a part of 40% of all breaches reported this year, which increased 10% over 2023. Further, the average cost of leaked employee information to businesses rose to $189 million for each breach—a 4.4% year-on-year rise. The overall cost of a data breach, $4.88 million this year, is at its highest ever.
The increasing popularity of generative artificial intelligence (GenAI) tools such as ChatGPT also increases the risk, experts said. While matching job hiring mandates with the candidate’s skills, many HR heads upload resumes on ChatGPT, which means the data of the candidate is available to others.
On the other hand, staffing firms that recruit for companies say they are aware of the leaks and take great caution.
“We have enhanced security audits and conduct them quarterly and, when needed, even more frequently. Access to data is restricted based on the specific role, ensuring only relevant information is available rather than all data,” said Neeti Sharma, CEO of staffing firm Teamlease Digital.
The recruitment firm, which hires in large numbers for its clients, told Mint that its employees and technology platforms are trained to distinguish between mandatory and optional data. “For instance, Aadhaar may be required for background verification, but other data points’ access may not be needed for everyone at all times,” Sharma added.
Aware of GDPR
Firms exposed to global clients are especially aware of GDPR (general data protection regulation) compliance, which lay down the rules of handling personal data. GDPR was created by the European Union to protect the data of EU residents.
“Companies like India’s software exporters, which have US clients, follow GDPR guidelines. All our group companies ensure that personal data available with the firm—like insurance, PAN and Aadhaar etc, have limited access and are masked,” said Supratik Bhattacharyya, chief talent officer of RPG Group.
“We are also discussing potential ways of masking gender information of candidates to prevent any form of bias at the time of their hiring. Data security is discussed in detail whenever any new initiative is launched,” he further added.
However, protecting data is expensive, and companies often resort to hosting data in open-source platforms instead of investing more in cloud platforms that need to be upgraded.
According to the product head of a popular HR services platform, corporates need to invest in blockchain in order to make personal data access transparent to those who own the data. “But blockchain is very expensive, and companies do not want to invest in this technology,” this person said on condition of anonymity.
Transparent transfer of data
Blockchain, which stands for distributed ledger to establish transparent transfer of data, can establish accountability in ownership and transfer of data. However, most blockchain implementations so far are public, leaving privacy and cost as key concerns.
Pareen Lathia, founder of blockchain-based web3 social network ValuesDAO, said that the usage of blockchain can potentially transform privacy and security standards in the long run, but the same is not happening now because the technology itself is on an evolutionary streak.
“Recruitment agencies have access to data from resumes, who then scrape it and sell it to partners without disclosure, this is a privacy issue,” said Lathia, adding that Blockchain is specifically designed to solve this. An on-chain app where credentials can be posted lets the owner of the data access all of their own information, and see where and when they are transferred.
“But right now, the challenge is that blockchain networks make all information public—and requires technologies such as zero-knowledge (ZK) or fast software encryption (FSE). But they are expensive, costing up to $0.5 ( ₹43) per transaction, which is too much for head-hunters to afford for each person’s application,” Lathia said.
Sam Altman’s Worldcoin, to be sure, is an option at hand for private blockchain deployment, where personally identifiable information can be attached to a person without compromising their identity or making the information public without consent. However, the latter remains expensive to deploy. “Realistically, this will take at least another year to scale up in the enterprise space,” Lathia said.
#Leakage #job #applicants #data #raises #concerns #solutions #expensive
#Leakage #job #applicants #data #raises #concerns #solutions #expensive