{*Updated 2/4* by GoodHire Corporate. See bottom.}
In today’s day of constant data breaches, any H.R. or recruiting professional needs to take extra time ensuring that a candidate or potential hire’s information is safe and secure. A friend, recently informed me that they were going to use GoodHire for a background check after an offer to a potential employee had been given. Let’s call him, “T,” as I’d like to protect his information. I’ve utilized GoodHire’s services in the past and often recommended them before others. Sadly, not anymore.
During a recent background check, my friend realized too late that the information submitted, wasn’t over a secure HTTPS connection. In an email to GoodHire’s support team, T. described the problem and then forwarded me the details. While they claim they’ve fixed the issue, there’s no mention that the issue existed or that they’d be taking it seriously.
As you can imagine, if true, this is an incredible violation of data best practices and could have legal repercussions for both GoodHire and companies utilizing their services. According to ftc.gov, all personal information should be encrypted when passed to another party online. “To guard your online transactions, use encryption software that scrambles information you send over the internet. A “lock” icon on the status bar of your internet browser means your information will be safe when it’s transmitted. Look for the lock before you send personal or financial information online.” T. stated that GoodHire’s lock was missing in the encryption process and as you can see, there’s NO HTTPS connection during the data transmission. In fact, T. thinks he has an idea where the problem originated: At a server-level.
So, what happened? T. logged into GoodHire to run a background check after an offer was extended to his future employee. In running the background check, T. noted that while he started on a secure HTTPS connection, it switched over to an HTTP connection when he was asked to submit information.
GoodHire had this to say on their website: “All transmission of personal data uses SSL (Secure Sockets Layer), a robust protocol for encrypting data online (check your browser’s address bar for the “https://” prefix—this means you’re surfing with SSL protection). HTTPS connections are used throughout GoodHire’s checkout process for payment protection, and whenever you’re logged in to the site.” While correct in thought and practice, this didn’t happen in a recent submission. There’s no way to know how many other individuals experienced this. In fact, while this is a tremendous breach of security and privacy, the company doesn’t seem to be taking the threat to this individual’s personal information or that of his employee, seriously.
What can you do to stay vigilant with your candidate’s information? Always check for a secure HTTPS connection and don’t simply trust a, “lock” symbol. H.R. pros know that they hold extremely sensitive data and it’s their job to help protect a candidate’s personal info. Companies cannot be trusted to always do the right thing. Double-check your connection and never hesitate to close a page if you feel uncomfortable about submitting information or moving forward.
*Update* Jonathan Duarte from GoodHire replied. See below:
Thank you for bringing the encryption issue to our support team. The original problem that **** diagnosed on Friday was fixed later that afternoon. Early, Monday morning, we responded on Twitter stating “All of our forms transmitting sensitive information are encrypted through HTTPS!”
Editor’s Note: I truly respect any company that reaches out swiftly and takes privacy concerns seriously.
3 Comments
Cool post. I always read article at least twice and then I tell myself.
On Friday, January 31st, 2013, GoodHire received a live chat notification from an existing client notifying our support team that a web page in our member services area was not using an encrypted connection.
At GoodHire, we take our client’s privacy and confidential information seriously. Once this issue was brought to our attention, it was immediately escalated to our technical team who, within hours, launched a hotfix encrypting the page in question.
In order to guarantee our client’s privacy and confidentiality, we have completed a full site audit. As such, additional steps have been taken to guarantee our client’s confidential information is encrypted and secure.
To employ further preventative measures, we will continue to implement higher levels of security and encryption across all GoodHire member pages.
To be clear, at no time was there an internal “breach of security or privacy” of GoodHire’s servers that would have exposed confidential employer or employee information, to a third party.
At GoodHire, we appreciate, and take seriously, the feedback we get from our clients. We know that the best way to build the best products and service is by listening to our valued clients and the greater human resources community.
If you have any questions about this, or other matters, we encourage you to contact the GoodHire Customer support team.
Thank you so much for your swift reply. I love how seriously you are taking this, it’s important. Thank you, Jonathan!