{*Updated 2/4* by GoodHire Corporate. See bottom.}

In today’s day of constant data breaches, any H.R. or recruiting professional needs to take extra time ensuring that a candidate or potential hire’s information is safe and secure. A friend,  recently informed me that they were going to use GoodHire for a background check after an offer to a potential employee had been given. Let’s call him, “T,” as I’d like to protect his information.  I’ve utilized GoodHire’s services in the past and often recommended them before others. Sadly, not anymore.

During a recent background check, my friend realized too late that the information submitted, wasn’t over a secure HTTPS connection. In an email to GoodHire’s support team, T. described the problem and then forwarded me the details. While they claim they’ve fixed the issue, there’s no mention that the issue existed or that they’d be taking it seriously.



As you can imagine, if true, this is an incredible violation of data best practices and could have legal repercussions for both GoodHire and companies utilizing their services. According to ftc.gov, all personal information should be encrypted when passed to another party online. “To guard your online transactions, use encryption software that scrambles information you send over the internet. A “lock” icon on the status bar of your internet browser means your information will be safe when it’s transmitted. Look for the lock before you send personal or financial information online.” T. stated that GoodHire’s lock was missing in the encryption process and as you can see, there’s NO HTTPS connection during the data transmission. In fact, T. thinks he has an idea where the problem originated: At a server-level.

So, what happened? T. logged into GoodHire to run a background check after an offer was extended to his future employee. In running the background check, T. noted that while he started on a secure HTTPS connection, it switched over to an HTTP connection when he was asked to submit information.





GoodHire had this to say on their website: “All transmission of personal data uses SSL (Secure Sockets Layer), a robust protocol for encrypting data online (check your browser’s address bar for the “https://” prefix—this means you’re surfing with SSL protection). HTTPS connections are used throughout GoodHire’s checkout process for payment protection, and whenever you’re logged in to the site.” While correct in thought and practice, this didn’t happen in a recent submission. There’s no way to know how many other individuals experienced this. In fact, while this is a tremendous breach of security and privacy, the company doesn’t seem to be taking the threat to this individual’s personal information or that of his employee, seriously.

What can you do to stay vigilant with your candidate’s information? Always check for a secure HTTPS connection and don’t simply trust a, “lock” symbol. H.R. pros know that they hold extremely sensitive data and it’s their job to help protect a candidate’s personal info. Companies cannot be trusted to always do the right thing. Double-check your connection and never hesitate to close a page if you feel uncomfortable about submitting information or moving forward.

*Update* Jonathan Duarte from GoodHire replied. See below: 

Thank you for bringing the encryption issue to our support team. The original problem that **** diagnosed on Friday was fixed later that afternoon. Early, Monday morning, we responded on Twitter stating  “All of our forms transmitting sensitive information are encrypted through HTTPS!”

At the time of the Twitter post, we were still in the midst of an entire site security audit. And while the statement was true, and there were no other unencrypted forms, a better message could have been drafted, as a complete audit of the site was still not complete.
During the site audit, it became apparent that the individual background report page was not encrypted, as **** later tweeted about. At this time the two pages that **** originally referred to are now encrypted, as can be seen by the attached screen shots.
To further ensure our customers data is encrypted and safe, we are moving all member area pages to encrypted pages. We greatly appreciate your feedback, and will continue to listen to our clients to make our services safe and secure for our clients and applicants.


Editor’s Note: I truly respect any company that reaches out swiftly and takes privacy concerns seriously.