Homerun target of hackers: data leaked to thousands of applicants
Dutch software company Homerun has been attacked by hackers. A vulnerability in Apache webserver software allowed the attackers to access all customer data. As a result, the personal data of thousands of applicants was probably stolen.
Homerun is a company with an office in Amsterdam that helps companies with the application process. Homerun has developed an online application form that candidates must complete in order to apply for a vacancy. All data entered by the applicants will end up in the Homerun database.
Well-known Homerun customers include World Press Photo, WeTransfer, Dopper, Decathlon, Mollie, Tony’s Chocolonely, Renault Nederland, the VPRO and Belsimpel. Emails in which affected companies inform their former job applicants about the leak refer to “an unknown source” who had access to “all data of Homerun’s customers”. Homerun will not confirm this.
Between Wednesday, October 20 and Thursday, October 26, 2021, strangers had access to customer data stored on the cloud server of Amazon Web Services (AWS), an Amazon service. The hackers had access to a vulnerability in the Apache webserver software known to cybercriminals. This enabled the as-yet-unknown hackers to remotely execute commands, steal access tokens, and access data. The patch for this vulnerability was released on October 15. Had Homerun installed this update, the data breach could have been prevented.
Apache is a popular free open-source software that is used worldwide to host websites. In this case, the perpetrators did not use ransomware or phishing tactics, which are often common in these types of attacks.
Fixing the vulnerability in the Apache webserver software was Homerun’s top priority. “We immediately took the necessary measures, in collaboration with the renowned cybersecurity company Northwave. We then proceeded to inform our customers,” said an employee in a first reaction. Homerun does not believe it was a targeted attack, but rather that the attackers acted opportunistically and stumbled upon the company’s data by accident.
Homerun has reported the data breach to the Dutch Data Protection Authority, the company writes on its site. A report has also been filed with the police. The Amsterdam company also says that it will implement more privacy measures. For example, applicants should be given more control over their data and more opt-out features will be introduced in the privacy settings.
According to a Homerun employee, the leak in the software has now been fixed by Northwave security specialists. That company has contacted the hackers on behalf of Homerun. The same employee says the company has come to “an agreement” with the hackers along with Northwave. Homerun indicates that a ransom has been paid, which means that the “financial buffer the company has is now a lot smaller”.
It is difficult to say what information the hackers copied. This depends, among other things, on the data that applicants have entered themselves when they applied for a position. It can be assumed that the more information applicants have provided, the more data they have stolen from them. This would include:
- first and last names;
- residential addresses;
- phone numbers;
- email addresses;
- motivation letters;
- profile pictures
- notes were taken during job interviews and procedures.
An employee of Homerun confirms to VPNGids.nl that the attackers have copied customer data. Probably thousands of applicants. It is not yet clear how many victims are affected by the data breach at Homerun. On the forum of Tweakers.net, you can read that some candidates applied somewhere six months to four years ago and received an email last week that their data may have been viewed by hackers.
All stolen data erased by hackers
According to Homerun, the hackers have permanently deleted the customer data after negotiations with Northwave. The chance that stolen data will still appear on the dark web or hacker forums is therefore extremely small. “Northwave has informed us that there has been no previous occurrence of hackers leaking information after reaching an agreement with the affected company,” Homerun said.
In an e-mail to VPNGids.nl, Homerun CEO Willem van Roosmalen says that he wants to be as transparent as possible about the events, but says he needs more time to “collect and check all the facts”. He also indicates that he will publish a public page on the website on Tuesday morning with more details about the cyber attack and the data breach. Van Roosmalen was subsequently contacted by telephone several times for a response and additional questions but did not make use of this.
When asked whether Homerun stores data of applicants for years, Van Roosmalen says that Homerun does not have access to the data of its customers. “Our customers own their data in Homerun. They, therefore, have control and responsibility for which data they keep and for how long,” according to the director.
Due to the data breach at Homerun, various companies in the Netherlands have become the victims. One of the confirmed victims is Hubper from Nijmegen, which develops online learning platforms for more than 150 customers. The company sent all applicants an email last week, informing them of the hack.
Another company that has suffered from the data breach is Q42. The company with offices in The Hague and Amsterdam develops apps, games, robots and websites. In an e-mail to those involved, director Jasper Kaizer says he is disappointed that this has happened. Nevertheless, he thinks it is important to be open and honest about the leak at Homerun, but: “I can’t make it more beautiful than it is,” Kaizer told a media outlet.
Catch up on more articles here
Follow us on Twitter here