Tuesday, 4 May 2010

Recruitment consultancy May and Stephens leaks client's confidential personal data

In December last year, like many others in my company and across the world, I was made redundant. It’s quite the thing these days, and the change in lifestyle brings with it a raft of advantages. One such is making new friends and influencing people at the Department for Work and Pensions (DWP).

The last time I signed on the rock’n’roll, the Department of Health and Social Security obliged one to queue for hours at one of its dark, satanic mills every fortnight. This was undertaken under the pernicious gaze of misanthropic civil servants who gave every impression of hankering for unemployment themselves, in preference to dirtying their hands with the hoi polloi.

These days, however, while the bi-weekly signing ritual remains, the offices are pleasantly bright and airy (although the guilty-pleasure letterbox-plop of the subsequent giro has disappeared), and several DWP employees will swoop on the lost-looking first-timer to enquire if they may be of assistance. The spongers and scroungers of yesteryear are now ‘customers’. Customers’ names are called, if not exactly with the deferential warmth of a maître d' greeting a valued customer, then at least with the recognition of one belonging to a common species hailing another. My Customer Services Advisor, a courteous and friendly young lady, greeted me by name, shook my hand and explained how things work at the social these days.

In one of those weird reversals of terms one often stumbles across now the public sector models itself on the private sector, the unemployment game is, thanks to the recession, a massive growth sector. Just as a private company might spend to increase profit during a boom, so the DWP’s budget and remit has been expanded to meet the influx of ‘customers’. (A word of warning: it is to invite a headache to imagine the nightmarish balance sheet on which the decrease in costs to the state incurred by benefit payments can be expressed as a profit to justify this increased spending.)

One of the ways the DWP has diversified its operation is in partnering with private-sector employment consultants. The recession, my Customer Services Advisor told me, had emphatically changed the role of the DWP in ways for which it had not been designed. Before, she explained, when a newly redundant plumber (for example) walked through the door, the jobcentre would give said plumber whatever benefits were deemed necessary until an employer needing a plumber was found, whereupon the DWP would pack him a sandwich and an apple and wave a hanky from the doorway, brushing away a tear as he toddled off to his first day back at work (I paraphrase).

In these post-credit-crunch days it’s all different, said the Customer Services Advisor. People who have spent decades toiling away with job titles requiring a PhD in Applied Cleverness to understand have come a cropper in the recession, and this has presented a whole different ball game. Hence the very sensible decision by the DWP to outsource work dealing with white-collar recruitment to private-sector companies with more experience in the field.

High times

In a momentary lapse of judgement, the Customer Services Advisor asked if I was interested in such a referral. I jumped at the chance. As part of my redundancy package, my former employer had packed me off to an employment agency specialising in ‘career counselling’ - which I had thoroughly enjoyed - and I was eager to repeat the experience.

(The basic deal is this: you potter along, they ask you what your plans are, you tell them and they spend a few hours telling you, in a number of different and ever ego-expanding ways, how brilliant the rest of your life will turn out. There’s a bit more to it than that, but those are the salient points. Seriously, after the first time, I hit the pub feeling a million dollars. It is of course an illusory, fleeting experience, but people pay serious money to achieve that buzz of elation - usually through illicit means - so if the opportunity comes along for free and it’s legal, I say one should grasp it with both hands.)

As it turned out, (as is usually the case), I couldn’t achieve the same high as the first time. Nonetheless, I wouln’t poo-poo it by any means. The agency to which the DWP sent me, May and Stephens, were the epitome of professional courtesy, my consultant an extremely bright and creative person who knew a lot about my field, and I retired to the Fuller’s pub down the road for an ESB if not with the high of before, at least with a sense of quiet confidence and industry. I knew from before that it probably wouldn’t last long, but wallowed without reserve while it lasted.

Phishing scams

However, not long after my visit to the DWP and subsequent excursion to May and Stephens, I found myself the target of emails from shadowy characters who somehow knew I had recently been made unemployed, purporting to represent companies offering me employment on the strength of my CV - the fly in the ointment being that I hadn’t then had the time to send out my CV.

They were, by the standards of other phishing operations I’ve seen, a bit clumsy, but that’s not to understate the seriousness of this kind of cyberfraud. Exact figures are difficult to come by, (cybercrime is under-reported), but it is thought that in 2005, criminals netted £23.2m through phishing scams in the UK alone.

The inscrutable Gary Hall, for example, sent me word that EPS – presumably the courier company, although a quick look at Google also suggests the European Physical Society, Environmental Property Services or possibly (and much, much more enticingly!) the Experimental Psychology Society – had in mind for me a highly desirable, if slightly mysterious career:


Our company EPS is pleased to offer you a well-paid part-time job.

Location : United Kingdom

If you are interested, please reply to : dawsonrenee65@gmail.com with your short resume.

Best regards,

EPS Team

Mr Willie Jones, purporting to represent container logistics company Tarros, was more effusive, while getting to the point straight away:


We have found and reviewed your CV and decided to offer this job to you.

Supply Department Agent.

Job Responsibilities:

Receiving, checking quality of the packages, sorting packages according to zip code and/or town name, shipping out packages to our clients with your local postal service (working with shipping labels).

For candidates interested in reviewing our current opportunities, the following are the basic requirements:

- UK Citizens.

- Should not be below 21 years of age.

- Ability to receive day time mail and packages.

- Can dedicate at least 2-3 work hours/day.

- With a working e-mail address and a telephone access.

If you are interested, please reply to : all@redhot-logistics.com with your short resume.

Sincerely yours,

Willie Jones.

Tarros Europe Group

A shame, then, that a quick Google search showed this also to be a scam.


So how could these people know that I had recently been made redundant, and where had they got my email address from? The two obvious suspects were the DWP and May and Stephens, given they were both directly involved with my recent change in employment circumstances, and both had just received personal data relating to this, including my email address.

At first, and without a scrap of evidence, I cast the gaze of suspicion towards the DWP. Given the string of public-sector data security breaches in recent years, it is perhaps natural – if unfair – to suspect first the people whose salaries depend not on competence and performance, but continued support from the public purse. However, a recent incident gave me leave to reconsider who might be playing fast and loose with my personal data, when I received a round-robin email from May and Stephens, displaying to each of about seven hundred or so recipients everyone else’s email address.

With the near-universality of phishing activity, (I don’t know one person with an email account who hasn’t received some sort of cybercrime bait), this is serious enough in itself. But there is a broader principle which is of greater concern: If such organisations - which, by dint of the nature of their business, hold large amounts of confidential, personal data - do not see the need to train staff adequately in the most basic of office IT applications, such as email, to protect this data, what reason can there be to presume they take any more rigorous and technical measures to observe the requirements of the Data Protection Act, such as shoring up security on their servers where wider-reaching and more sensitive confidential personal information is held? How is data transferred, and using what encryption methods?

Here is the ‘reply all’ I sent to May and Stephens, as well as the other addressees (whose details, incidentally, I have deleted from my system):

Dear Mr Vincent.

Thank you for your recent email, thanks to which I now have the email addresses of around seven hundred of your clients. To someone less principled, an extensive list of the confirmed personal email addresses of six or seven hundred white-collar workers, who have recently sought the services of an agency offering job search consultations, could offer all sorts of lucrative avenues.

Not least of which might be phishing scams purporting to originate from legitimate companies offering employment possibilities. Funnily enough, I myself have been on the receiving end of such phishing attempts, shortly after handing my personal data to May and Stephens.

However, just in case one of your clients does take exception (I have blind-copied all 700 or so of them in on this email, as well as several other agencies who might take an interest), in your place I would take pre-emptive action. This might, for example, include alerting your company lawyer (assuming you have one) that there has been a significant data breach.

You might also care to peruse the Data Protection Act 1998 at your leisure (http://tiny.cc/DPAbreach) and consider whether, besides the legal issues, protecting clients' personal data might or might not constitute one of the most basic requirements of professionalism in a recruitment company - which necessarily holds much confidential personal data about its clients - such as May and Stephens.

I would be most interested to hear your thoughts on the matter. Indeed, if any of the other recipients of this email would care to comment, I have posted the whole story on a blog, http://methuselahsdiary.blogspot.com, feel free to leave your thoughts in the comments section, I’m sure we’d all be most interested!

On a brighter note, isn't this delightful weather we've been enjoying recently?

I remain your obedient servant,

Right of reply

Long before sending that, I did approach the managing director of May and Stephens, Jackie May, by phone and by email, to allow her to give her side of the story. I asked her a number of specific questions:

1. How important does May and Stephens regard the protection of the confidential data it holds about clients and partners?

2. Has May and Stephens' attitude toward data protection evolved in recent years?

3. Did the public sector data protection scandals in 2008 and 2009 cause May and Stephens to revisit its data security policies?

4. Is data security an IT issue or an HR issue?

5. Does May and Stephens hold any data security training for staff?

All of which, I thought, were fairly pertinent to May and Stephens’ data breach and its implications.

Alas, no reply was forthcoming (I took care to hold back from posting this to give Ms. May a reasonable amount of time in which to reply). What did come, however - the very next day - was another email from the hapless Mr Vincent:


Thank you for all your replies.

Please accept our deepest apologies for the mistake made in the previous email. I can assure you that it won't happen again. Thank you for your cooperation.

Kind Regards

David Vincent

Now I’m guessing that the phrase ‘thank you for all your replies’ has a story of its own to tell (‘it won't happen again’), and I might not have been the only one with a grumble. I’d be delighted to see your opinions in the comments box, whether it be from fellow breachees, or from a representative of May and Stephens (come on Jackie!) who might like to share with us their thoughts on ‘the mistake’ or just from anyone with a view on data protection.

I would like to assure everyone that after I sent those emails, I completely deleted all traces of your digital data, including email addresses, from my system. If you are worried about having been made vulnerable to phishing attacks, there are a number of online resources:

Information Commissioner’s Office

Anti-Phishing Working Group

Microsoft Online Safety

Bank Safe Online

Phishing attack: how to avoid becoming a victim

National Consumer League’s Internet Fraud Watch

How Phishing Scams Work

What is phishing?

FAQ: Recognising phishing emails

There is also a wide range of commercial identity protection software products available.

On the plus side, however, every opinion poll this morning seems to suggest a hung parliament on Friday, meaning we’ve got months, possibly years more of this interminable election stuff banging on and on and on in the papers, on the internet, radio and telly. Hurrah!

data act, privacy and data protection, data protection 1998, data protection act 1998, data protection legislation, legislation act, data protection, protection data, data protection training, data controller, access to information, access to files, breach data security, data breaches, data breach protection, threats security, plan security, best practices security, phishing scam, email phishing scams, phishing email scams, report phishing scam, dwp, dwp uk, dwp jobs, dwp benefits, dwp benefit, dwp work, dwp contact, dwp website, May and Stephens, the recruitment agency, recruitment agency, recruitment agencies, staff recruitment agency, recruitment agencies uk


  1. Very interesting...
    What do you plan to do next?

  2. Probably just sit tight and see what the Information Commissioner's Office has to say.

  3. Aha! That explains all the phishing emails I've been getting. :) And I also thought Mr Vincent's subsequent email to be, well, pretty lame considering the enormity of his lapse. (I didn't contact him by the way, but hope he sees your blog and that many people will comment here)

    And Jackie May - I guess she is one of those who has yet to grasp what might happen to those directors / companies who opt for silence instead of a well-thought out answer to completely reasonable questions.

    I will watch this space with interest.

  4. Hello,

    As a proffesional recently made redundant, i was asked by the rock n roll to visit MayStephens. I didnt want to but my advisor was very enthusiastic that this was the new thing they were embarking on that could well sort everything out.
    Although they were all very nice people, they didnt tell me anything i didnt already know.
    Why does the government pay private sector companies such money?
    The problem is not that highly qualified people dont know how to write a cv or do jobsearches etc, but that there are'nt any jobs for them to fill!
    And then they loose data! This is a waste and a silly set up!

  5. The 'obedient servant' appears to have too much time on his hands. I was also included in that e-mail and have had no spam or phishing attempts as a result of it. I saw it purely as an innocent mistake and moved on (to continue to look for work).

    Incidentally, I haven't had a single spam e-mail in 6 years, but then I know how to use e-mail and I recognise that the responsibility for my mailbox ends with me. Mistakes will happen, but how exactly you intend to prove the phishing attempts you got were a direct result of the mistake made by May and Stephens will be very interesting - and crucial - to your whole case. Good luck with that because it's far more likely that your email address was stolen from a job search website (hence how they know you're unemployed) - or even from this blog site - as the security on almost all of these sites is pitiful.

    I wish I had the time to blog about Gordon Brown and phishing attempts unproven as a result of an email mistake, but I have a job search to get on with.

    I agree with Joanne. It's jobs we need, not job advisors.

  6. Alas I too had many similar experiences after my recent redundancy. The upside of all the dodgy "jobs" listed on the DWP's own website, in addition to the numerous other contacts you get after registering with recruitment sites, all emails count towards your six applications/activities a week when claiming aforementioned rock and roll. Something for nothing?

  7. I have visited May and Stephens, after loosing may job, there were really nice and helpful, but after that i did not received emails that I considered to be spam. However I do understand the concern and is very likely that May and Stephens sold their data...money..money..money!!!

  8. I wonder where the idea came from to outsource to a consultancy? Maybe from a management consulting firm? Don't get me wrong, there are many, many problems in all areas of the public sector, but the idea of public money going to private profit is very distasteful to put it mildly.

  9. See what happens when you leave your email unattended for a couple of days? Several interesting developments and a decision to make, (which, in the spirit of the times, I am minded to offer up to the vote - fancy a referendum?). Watch this space next week.

    Anna L: On a couple of the points you raise, I hope your vigilance will be rewarded with the next post. I'm being deliberately vague for the moment, I hope all will become clear.

    Joanne: So long as the public sector is flashing the cash, there are a few jobs out there in, um, taxpayer-funded recruitment consultancy. The question is, would it be simpler to just pay them less and save the Inland Revenue the job of taxing them to generate contributions to their own salaries (a perpetual-motion model of fiscal stimulus)? Or would that simply lead to redundancies in the Inland Revenue? etc, etc, ad infinitum

    Rallydriver: Bully for you sir! That's the spirit. Good luck with the job hunt to you and everyone else.

    Mr Highwayman: Seriously, are you telling the DWP these phishing scams constitute part of your 6 a week? That's like including deep-fried chips as one of your 5 a day!

    Clem: Such cynicism. In regard of which, to any libel lawyers casting a jaundiced eye over these comments, I'd like to go on record that none necessarily reflect the opinions of Methuselah, Lamech or any other Old Testament characters.

    Falcozappa: Public/private partnerships have been putting taxpayers' money into shareholders' pockets for a while now. The theory of the market being more agile and efficient than the state usually does quite well until someone pops up to mention management consultants, so cheers for that.

  10. Your blog is very enriched. You can see my website Mana Resourcing which is a professional and established recruitment agency that has dedicated consultants for engineering recruitment agencies, sales recruitment agencies, supply jobs and teaching jobs in Northamptonshire, Northampton, Corby, Peterborough, Leicester, East Midlands.

  11. At the end of the day it was just our email addresses. Not really personal data!!!. You give out your email address to anyone all the time, that's the point!. I work in IT so I can spot a dodgy Phishing email from a mile away. Simple rule, if you don't know the person who sent it, or you’re not sure about the content, delete it. No big deal. If it’s a genuine enquiry, they’ll find another way to get hold of you.

    One tip to protect yourself, is to check the links in the emails match where they’ll be directing you to. To do this, hover your curse over the link/hyperlink. In the bottom left corner of your browser (Mainly IE, but should show up on most browsers somewhere), the address relating to the link you just hovered over, should be displayed and be the same link strain. If this link content in the browser, doesn't match the link address in the email, then just BIN IT. It’s most likely a dodgy email.. And there’s no point taking the risk.

    Poor guy must feel bad, it was just a simple mistake, any one of us could make. Does he really deserve a slap this big!!

    Now if it was financial data, then this would all be a different conversation. And I’m sure their data controller would be called in to answer some very serious questions, about their data security policies and procedures.

    To be honest we've wasted way to much of our time on this, I’m sure the guy feels bad enough.

    Let's just focus our time and efforts on finding a JOB!

  12. Anon, superb that you would make the effort to come round just to deliver that coup de grace! Words fail me! But clearly not you! It is of course very important to have an opinion on the internet, and you have not failed the human race in delivering the sum of your clearly classical education. Perhaps there might be another pearl you could throw our way? I beseech you, please, dear God! please do not be shy in dispensing your pearls of wisdom.

  13. Thanks for sharing, I will bookmark and be back again

    Employment Consultants in Chennai