AIESEC, a nonprofit organization that claims to be "the world's largest youth-led organization," has exposed over four million trainee applications containing personal and sensitive information on a server without a password.
Bob Diachenko, an independent security researcher, discovered an unprotected Elasticsearch database containing applications on January 11, just under a month after the first exposure of the database.
The database contained "job applications" containing the applicant's name, sex, date of birth and reasons for applying for the internship, according to Diachenko's blog on SecurityDiscovery, shared exclusively with TechCrunch. The database also contains the date and time of the rejection of a request.
AIESEC, which has more than 100,000 members in 126 countries, said the database was inadvertently exposed 20 days before Diachenko's notification – just before Christmas – as part of an "infrastructure improvement project". ".
The database was secured on the same day as Diachenko's private disclosure.
Laurin Stahl, AEISEC Global Vice President of Platforms, confirmed his presence at TechCrunch, but said that no more than 40 users were involved.
Mr Stahl said the agency had "informed users who would likely figure top of the list search results" in the database – some 40 people, he said – after the news came out. agency found no significant demand for unknown IP address data.
"Given that the security researcher has found the cluster, we have informed the users who would probably be at the top of the search results on all cluster indices," said Stahl. "The survey we conducted over the weekend showed that no more than 50 data records concerning 40 users were available in these results."
Stahl said that the agency had informed the Dutch authorities of the data protection of the exhibition three days after the exposure.
"Our platform and our entire infrastructure is still hosted in the EU," he said, despite his recent move to the head office in Canada.
Like companies and organizations, not-for-profit organizations are not exempt from EU rules on collecting data on European citizens. They are liable to a fine of up to 20 million euros, or 4% – the highest amount – of their annual total income for serious violations of the General Regulation. .
This is the last instance of an unprotected Elasticsearch instance.
A massive database containing millions of real-time text message data was found and secured last year, a popular massage service and phone contact lists of five million users from an emoji app exposed.