UK staffing agency exposes gig workers: passports, visas, and more made public


A UK staffing agency has leaked the passports of tens of thousands of gig workers, exposing them to identity theft and various other frauds.

GigtoGig, a UK-based temporary staffing agency, accidentally publicly exposed a treasure trove of worker data, exclusive Cybernews research has revealed.

GigtoGig claims to work with big brands such as Hilton, Sainsbury’s, Marriott, and G4S.

ADVERTISEMENT

GigtoGig and similar firms connect businesses with workers for short-term projects, providing companies with a reliable workforce and offering workers diverse job opportunities along with payroll and insurance services.

On August 5th, during a routine investigation, our research team discovered a misconfigured Amazon AWS S3 bucket, which they managed to attribute to GigtoGig. Unfortunately, the database, which contained 217,000 sensitive files, was exposed to the public, meaning that anyone could access it without having to enter a username and password.

The exposed GigtoGig bucket included:

  • 122,964 workers’ passports
  • 17,102 work permits
  • 2,810 visas
  • 26,311 CVs
Leaked passport example
ADVERTISEMENT

The dataset had been exposed for several weeks. Combined with the sensitive nature of the leak and the fact that threat actors can discover publicly exposed data within seconds, this incident is extremely concerning.

At the time of writing, the database has been secured. We’ve contacted the company to see if they’ve informed gig workers about the incident and potential risks, but we haven’t heard back from them yet.

Gig workers at risk of identity theft

While we are not aware of any threat actor accessing and downloading the dataset's contents, even brief exposure to sensitive data such as a passport poses a significant risk.

Using leaked or stolen passport copies, criminals can create fake identities with ease, and use them to apply for loans and engage in fraudulent activities.

Exploiting work permits and visas, crooks can forge employment eligibility or travel authorizations, potentially leading to illegal activities or unauthorized entry into countries, as per Cybernews researchers.

The gig workers are also at risk of highly targeted phishing attacks, in which criminals might attempt to spoof employers or government agencies to defraud their victims.

Exposed CVs are also a very handy tool for attackers since they can be used to craft convincing phishing emails.

“Scammers might impersonate trusted entities to extract more sensitive information or money from the applicants,” Cybernews researchers said.

ADVERTISEMENT

“Similarly, with access to phone numbers and other PII, attackers can impersonate employers or recruiters, claiming that there was an issue with the applicant's submission or that further details are needed to process the application. They might ask for additional sensitive information or payment for services like background checks.”

Last but not least, the data leak could lead to doxxing, or unauthorized public exposure of personal information, which is a serious threat since attackers “search the internet for material that may be used to further their financial or personal agendas.”