JOBSCIENCE DATA SECURITY INCIDENT
April 3, 2019 – San Francisco, CA
Jobscience, Inc.’s (“Jobscience”) TalentPath product has been the subject of a cyberattack that resulted in unauthorized third party access to certain TalentPath users’ information. The TalentPath service is a completely separate product that is not related to the Jobscience Salesforce product, which was in no way impacted. Jobscience takes the security and integrity of the data entrusted to us very seriously. To that end, Jobscience has been working with our customers to provide that as many individuals as possible whose personal information may have been implicated in the attack have been notified so that they can take appropriate steps to protect themselves. Today, Jobscience is reaching out to individual users whose data may have been implicated in the attack but who may not yet have been notified, while continuing to assist affected customers.
Jobscience learned in late August that an unauthorized third-party gained access to its TalentPath platform on or around May 8, 2018, and used that access to exfiltrate data stored on that environment. We promptly launched an investigation to identify the root cause and the scope of the data implicated, and shortly thereafter contacted our customers and began helping them with notifications to regulators and affected individuals. As part of our continuing review and investigation of the TalentPath incident, Jobscience discovered additional individuals whose data was implicated in the attack, but who may not have been notified initially.
Our investigation determined that the attack targeted only the Jobscience TalentPath platform. Our investigation also confirmed that no other Jobscience infrastructure was accessed or otherwise impaired. Customers of the Jobscience Salesforce service can be confident that their data was not affected by this incident.
WHAT INFORMATION WAS INVOLVED
While the potentially affected data for any particular individual varies, the affected data generally includes names and contact information, and in some instances information such as username, password, security question, Social Security Number, Driver’s License Number, or Alien Registration Number.
WHAT WE ARE DOING
We have already taken steps to address this incident and protect the information on the Jobscience platform from further unauthorized disclosure. In particular, once we identified the underlying cause of the unauthorized access, we took steps to address it by deploying patches to the environment. We also forced a password reset for all accounts so that the attacker cannot use any information gleaned from the attack to gain further entry to the TalentPath platform.
The security and confidentiality of the data we process is one of our top priorities, and we will continue to examine ways we can better protect that data.
WHAT YOU CAN DO
Jobscience has contracted with Experian IdentityWorks℠ to provide affected individuals with identity theft protection at no cost to them. Individuals will receive instructions on how to apply for the service. Individuals who do not receive a direct notification but who believe their information was affected, can find more information, including how to sign up for the identity theft protection to protect themselves, in the TalentPath Incident FAQs section below.
TalentPath Incident FAQs
1. Are you offering credit monitoring services to individuals whose information was compromised?
A: Yes. If you believe that your data was implicated in this incident, please visit Experian’s website at https://www.experianidworks.com/creditjobscience .
2. I never applied for a job with Jobscience or through Jobscience. How or why do you have my information?
A: You may have applied for a position with and/or been employed by a Jobscience customer that used the TalentPath service. In addition, someone acting on the your behalf, such as a recruiter, may have submitted your information to Jobscience or a Jobscience customer for a job position.
3. Should I close my credit card, bank account or other accounts ?
A: We have found no evidence of credit card, bank account or other account information in the data that was exfiltrated. If you have any reason to believe you may be the victim of identity theft, or notice any suspicious activity on any of your accounts, there are a number of important steps you should take, including immediately notifying the relevant account institution, your local law enforcement agency, your state’s Attorney General (https://www.usa.gov/state-attorney-general), and the Federal Trade Commission (www.identitytheft.gov).