Recruitment company achieves data security certification after breach

Tuesday 11 February 2020

A local recruitment company has achieved the international standard for information security management, after being targeted by “hostile” hackers who stole private information about family members, ID details and travel itineraries.

CSS Limited received confirmation of their certification to ISO 27001 after a two-day audit conducted by an independent external auditor, on behalf of the British Assessment Bureau.

During the audit, CSS staff had to demonstrate and provide evidence that they met the international standard on how to deal with all aspects of Information security within the organisation, combining both, physical, intellectual and electronic security on various levels and platforms.

“This was a very intense audit, much harder than 9001,14001 and 45001 audits," Elaine Feltham, CSS’ Data Protection Advisor, commented. "It was a great relief and privilege to receive certification, and I cannot praise our team enough for all their hard work and commitment."

“Being the only offshore recruitment company known to achieve ISO 27001 certification and indeed all 4 ISO standard, has given the company great kudos," Christopher Inns, Operations Director, added. "It’s been a long, learning curve to get here and without the support of our IT provider and amazing employees, we would never have received certification."

The news of CSS' certification comes after Jersey’s Data Protection Authority revealed they had suffered three data breaches across 2018 and 2019. 

One of the breaches involved a system shutdown in August 2018 when CSS was attacked by the GandCrab virus.

The most serious incident came in November 2018 when the company’s systems were infiltrated by a “hostile third party”, which led to a “loss of information about data subjects including identity information, travel itineraries, family information and employment documentation” – information that could be used to facilitate identity theft.