200,000 CVs inadvertently exposed online

23 October 2019

Your data is only as secure as the business practices and safeguards of the people you entrust it with.

Last week Sky News revealed that two online recruitment firms exposed more than 200,000 CVs which held candidate’s personal information; including names, addresses, phone numbers and career histories. Both data security breaches were discovered by security researcher Gareth Llewellyn, who found that both companies had their Amazon Web Service (AWS) clouds set to ‘public’, which meant that they could be accessed by anyone with the IP address of that ‘bucket’ of data. Both buckets have now been correctly changed to private. It isn’t our business to name and shame here, but if you are curious, you can read the Sky News article here.

Concerns around data privacy in the recruitment field aren’t exactly new for us. In March this year, we conducted our own research into data privacy in the legal recruitment field, and the findings were worrying. We reached out to 152 legal recruitment firms in the UK using data Subject Access Requests (SARs) under Article 15 of the General Data Protection Regulation (GDPR). You can find the full access request email we sent here, but to summarise, we requested:

  • Confirmation of whether our personal identifying information (PII) is being processed by the company or their affiliates
  • The categories of PII processed
  • The type of PII processed in their information systems
  • A list of all third parties who have had access to our PII
  • How long our PII has been stored and how long categories of PII are retained
  • An explanation of technologies or business procedures in place to ensure that PII is not inadvertently disclosed

These firms were given one month to respond with the requested information in accordance with Article 12 of the GDPR.

Of the firms contacted, only 55.9% responded within the 30 day period, leaving a huge 44.1% in breach of Art 15 by not responding. Even worse, 10 of the non-responder’s nominated GDPR request email addresses were fictitious or had been deactivated, so the email bounced back. Of those who did respond, 80% requested no further identification past the SRA number included in the request email. Of the 20% that did request further identification, less than half requested photo identification.

You should be the one in control of your data, and with Route1, you are. Your data belongs to you and you have full control of it through your Route1 account. Remember, a lot of damage can be done if your PII falls into the wrong hands, so only provide your data to companies with excellent data security track records.

If you want to see our methodology and the full results of the research we conducted in May, you can read the full version here


We have big ambitions to permanently change the way people hire and get hired, both in the legal and other white collar sectors, using GDPR compliant, content-rich, value-added recruitment techniques. We place transparency, charity, and candidate control at the heart of our model.

Route1 was founded in the UK in 2015 and is headquartered in London. Our founders and investors include experienced lawyers, digital entrepreneurs, recruitment consultants and HR professionals.

Route1 is an award winning marketplace for legal talent. For any questions, please contact our Engagement Team or visit our Contact Us page for more information.

More Insights

Route1 Market Report – Q2 2020

Route1 Market Report – The Impact of COVID-19 on the Legal Recruitment Market

4 Challenges Facing Firms Currently

Coronavirus: Testing Tech Competence in Law

Our Partners