Hong Kong headhunter aimHigher under probe for alleged CV leaks

09 August 2017   Category: News, Asia, Global, Hong Kong   By Liz Mak

Hong Kong headhunting firm aimHigher is under investigation by the Privacy Commissioner for Personal Data as well as Hong Kong Police for allegedly leaking the curriculum vitae (CVs) of as many as 20,000 candidates online, prompting calls in the financial industry for greater scrutiny of search firms before they are hired.

A spokeswoman for Privacy Commissioner Stephen Kai-yi Wong tells Asia Asset Management that the case is the first on record involving a headhunting firm since Mr. Wong took office in 2015.

The incident came to light when an unnamed industry executive uploaded his CV on aimHigher’s website, and discovered via a web link in a confirmation email he received that the company had not been encrypting the data.           

When the executive realised he could potentially gain access to the personal data of as many as 20,000 candidates simply by altering the digits on a code contained in the link, he lodged an official complaint with the Privacy Commissioner.

“The Privacy Commissioner is looking into the incident, particularly as it concerns a large cache of detailed personal resumes containing the name, address, telephone number, date of birth, identity card number, education and work experience (of candidates),” Mr. Wong says in a statement.

“As a user of data, if a company has exposed clients or job applicants’ personal data for unauthorised access, even if the breach had happened in accidental circumstances, it will be in breach of the data security principles under the Personal Data (Privacy) Ordinance,” he adds.

Monica Chan, executive director of aimHigher, disputes that 20,000 CVs had been compromised in the incident, calling the figure “exaggerated”.  

She tells AAM that the company has “fixed” the security issues on its website, that it does employ some form of encryption to protect candidates’ data, and that CVs sent to the company by email had not been affected.

“We have reported the incident to the police on Wednesday afternoon (August 2). It is now a police matter. They are investigating,” she says.

According to the police, after being contacted by the Privacy Commissioner, Ms. Chan told police she believed the leak occurred because her company’s website was hacked, and asked for assistance.

“The case has been classified as a matter of 'computer use with criminal or dishonest intent' and has been handed over to the sixth team under the Central District Police Investigation Team for follow-up,” a police spokeswoman says in response to AAM’s enquiry. 

aimHigher has been in the headhunting business in Hong Kong since 2002. It has a large practice handling hiring for asset management companies.   

The company currently has 290 active job advertisements appearing on its website that are open for application online.

Benjamin Quinlan, chief executive officer of Quinlan Associates, a management consultancy, says the incident should prompt the industry to put more vigorous due diligence processes in place before engaging with search companies, the use of which has become increasingly widespread in recent years.

"They are not cheap. Typically, they charge 20%-25% of a salary package to handle the search process. In theory, the headhunter should be able to tap on the shoulders of a broader pool of talents. Sometimes the candidates do need to be wooed. And they are better placed to handle the conversations on salaries,” Mr. Quinlan says. 

But with the use of headhunting firms being increasingly prevalent, their ‘know-how’ and professionalism can sometimes be called into question, especially since job descriptions have become so detailed that "you don't need to be a rocket scientist", according to Mr. Quinlan.

“(Companies) don’t want to be seen with firms that don’t have the right data security and protocol in place. There should be a vendor-vetting process where these things are kept in check, in which they need to furnish a lot of evidence. Usually, the larger the company, the more robust is the policy. With smaller firms, maybe they don't always have the policies in place," he adds.

According to Mr. Quinlan, the data breach is also wake-up call for companies to only deal with reputable firms, and for candidates to be more alert about the details they provide on CVs.   

‘Contentious information’, such as proprietary business information, profit and loss data, portfolio risk limits, and detailed remuneration talks should be saved for the face-to-face discussion, he cautions.