Staffing Agency Loses 28,000 Applicant Records: Misconfigured Cloud Storage Becomes a Nightmare
A staffing agency leaves 28,000 applicant records on a publicly accessible cloud storage for months. The consequences are devastating.
Misconfiguration
€2.1M
€750K GDPR Fine
The Incident
On July 22, 2025, security researcher Dr. Tobias Kern posted a thread on Mastodon that went viral within hours:
"A German staffing agency has 28,347 complete applicant records sitting on a publicly accessible S3 bucket. Resumes, certificates, pay stubs, ID card copies, medical clearances, criminal background checks. Publicly accessible for at least four months. I notified the company three weeks ago — no response."
The company was TalentBridge Personalservice GmbH from Dusseldorf, Germany. 85 employees, 2,400 active temp workers, annual revenue of 34 million euros. TalentBridge placed personnel in logistics, healthcare, and manufacturing — industries where applicants routinely submit sensitive documents.
The story behind the catastrophe began in March 2025. TalentBridge had migrated its applicant management system (AMS) from an on-premise solution to the cloud. The contracted IT service provider — a two-person company from Cologne — configured an Amazon S3 bucket as storage for uploaded application documents. Due to a configuration error, the bucket was set to "public." No authentication, no encryption, no access control. Anyone who knew the URL could download all files.
The URL was not particularly hard to find. The bucket name followed a predictable pattern: "talentbridge-bewerbungen-prod." Automated scanners that crawl the internet for open S3 buckets likely found it within days of the misconfiguration.
What lay on the bucket was a goldmine for identity thieves:
- 28,347 resumes with complete personal data
- 19,234 ID card copies — front and back
- 14,891 pay stubs with employer, gross salary, and bank details
- 8,456 employment references with detailed performance evaluations
- 3,212 medical clearances — particularly sensitive data under Art. 9 GDPR
- 1,847 criminal background checks with full register information
- 967 residence permits and work authorizations from foreign applicants
Four months, all of it freely accessible. Four months.
The Escalation
July 22, 2025 (day of the Mastodon post): Security researcher Dr. Kern had contacted TalentBridge on July 1 via email, registered letter, and fax. No response. On July 15, he had additionally reported the incident to CERT-Bund (the Computer Emergency Response Team of Germany's Federal Office for Information Security). Only after his Mastodon post generated thousands of reactions did TalentBridge respond — with a press release that made everything worse.
The press release claimed: "This is a limited incident affecting only a small number of records. We have immediately blocked access." In reality, there were 28,347 records, and "immediately" meant: three and a half weeks after the security researcher's first notification.
Days 2–5: The press uncovered the discrepancy between the press release and reality. Applicants who recognized their names in the Mastodon thread or media reports began filing complaints with the data protection authority. The North Rhine-Westphalia State Commissioner for Data Protection immediately opened proceedings.
Weeks 2–3: The situation escalated dramatically when it became known that among the affected applicants were victims of domestic violence whose current addresses appeared in their resumes, despite having a disclosure restriction registered at the residents' registration office. Two affected individuals had to relocate. TalentBridge covered the costs — reluctantly, and only after media coverage.
Month 2: Forensic analysis revealed that the bucket had been accessed at least 1,340 times from 89 different IP addresses — including addresses associated with known data broker networks. The data had very likely already been circulating in criminal circles.
Month 3: The data protection authority concluded its investigation. The fine: 750,000 euros.
Months 4–8: A wave of identity theft swept over the affected individuals. 347 cases were registered with police: fraudulent credit applications, bogus account openings, and order fraud using stolen identities. The average damage per victim: 3,200 euros. TalentBridge was sued in 89 individual lawsuits for compensation.
The Damage in Detail
Financial Breakdown
| Cost Item | Amount |
|---|---|
| GDPR Fine | €750,000 |
| Compensation (Settlements and Judgments) | €520,000 |
| IT Forensics and Incident Response | €140,000 |
| External Legal Counsel | €230,000 |
| Notification of 28,347 Affected Individuals | €85,000 |
| Relocation Costs for Threatened Persons | €18,000 |
| IT Infrastructure Rebuild | €195,000 |
| PR Crisis Management | €60,000 |
| Revenue Decline (Client Attrition) | €102,000 |
| Total Damage | €2,100,000 |
Reputation Damage
The Mastodon post was shared over 12,000 times. TalentBridge became the poster child for irresponsible handling of applicant data. Three major clients — including a logistics corporation with 400 temp workers — terminated their partnership. Applicants refused to submit documents. The number of new applications dropped by 61%, bringing the core business of staffing to a standstill.
On kununu, the employer review platform, reviews from temp workers accumulated: "This company can't even protect your personal data. Don't send any documents there."
Legal Consequences
The €750,000 fine was imposed on the following grounds:
- Art. 32 GDPR (Security of Processing): A publicly accessible cloud storage without any access control for highly sensitive applicant data constitutes a severe violation. €400,000.
- Art. 33 GDPR (Notification to the Supervisory Authority): The notification came only after the public Mastodon post — not within 72 hours of becoming aware. The security researcher had informed them three weeks before the notification. €150,000.
- Art. 34 GDPR (Notification of Data Subjects): Affected individuals were only informed after media reports, not proactively. €100,000.
- Aggravating factors: Medical clearances and criminal background checks are particularly sensitive data. The misleading press release was interpreted as a lack of awareness. €100,000.
Business Impact
The IT service provider who configured the S3 bucket was sued. The lawsuit for €750,000 in damages was still pending at the time of this publication. CEO Brenner was removed by the supervisory board. The new CEO had to overhaul the entire IT strategy and implement a data protection management system — a process that took twelve months and cost €350,000.
What Went Wrong
1. Cloud migration without a security concept: The migration from on-premise to the cloud was treated as a pure infrastructure project, not a security project. There were no security requirements, no threat modeling, no acceptance testing.
2. Unqualified IT service provider: A two-person company without demonstrable cloud security expertise was tasked with migrating highly sensitive personnel data. There was no data processing agreement, no qualification review, no references.
3. No verification of configuration: After the migration, no one checked whether the S3 bucket was correctly configured. A simple test — attempting to access the bucket without authentication — would have revealed the error immediately.
4. Ignoring security warnings: The security researcher informed TalentBridge three weeks before publication. Three weeks in which nothing happened. No review, no response, no awareness that this was a ticking time bomb.
5. No secure document intake: Applicants uploaded their documents through an unsecured web form that wrote files directly to the misconfigured S3 bucket. A professional upload system with its own encryption and access layer — like secure upload links — would have protected the data regardless of the S3 configuration.
Lessons Learned
Cloud security is a leadership responsibility. Moving sensitive data to the cloud requires a security concept that comes before the migration — not after. Configuring an S3 bucket as public is equivalent to placing the data on a digital marketplace.
Select and verify qualified service providers. When processing sensitive personnel data, the choice of IT service provider must not depend on the lowest bid. Certifications, references, and a data processing agreement under Art. 28 GDPR are minimum requirements.
Automated security checks. Cloud providers like AWS offer free tools (e.g., AWS Trusted Advisor) that automatically detect publicly accessible S3 buckets. These tools must be activated and monitored.
Take security warnings seriously. When a security researcher reports a vulnerability, it is a free security audit — not an annoyance. The correct response: investigate immediately, remediate immediately, say thank you.
Professional document transfer. Applicants should submit documents through secure upload links — with automatic encryption, access control, and an audit trail. This eliminates the dependency on correctly configured cloud storage at the infrastructure level.
Prevent the next cloud disaster. Try SendMeSafe free for 14 days — receive applicant documents securely, store them encrypted, log everything without gaps. No credit card required.
Frequently Asked Questions
How common are misconfigured cloud storage buckets?
Alarmingly common. According to a study by Qualys, approximately 31% of all S3 buckets are configured with insufficient access controls. Germany's Federal Office for Information Security (BSI) regularly warns about open cloud storage as one of the most frequent causes of data breaches. Configuring cloud storage is technically trivial — but a single wrong click can expose millions of records.
What special obligations apply to staffing agencies?
Staffing agencies regularly process particularly sensitive data: medical clearances (Art. 9 GDPR), criminal background checks, and comprehensive personal profiles. They are therefore subject to heightened requirements: a Data Protection Impact Assessment under Art. 35 GDPR is usually mandatory, as is appointing a data protection officer. The retention periods for application documents must be strictly observed — typically a maximum of six months after completion of the application process.
Do I have a right to be informed as an applicant if my data is affected?
Yes, unconditionally. Under Art. 34 GDPR, the controller must inform you without delay if a data breach is likely to result in a high risk to your rights and freedoms. With 28,000 applicant records including ID copies and salary data, this risk is beyond question. Additionally, you can submit an access request under Art. 15 GDPR at any time to learn what data is stored about you.
What should I do if I am affected by a data leak?
Act immediately: Request a credit report and check for unknown entries. Inform your bank about the potential identity theft. File a precautionary police report — this facilitates later damage claims. Monitor your account transactions closely. And request from the controller a detailed account of exactly which data was affected and what measures have been taken.