Data breaches are no longer a threat limited to credit cards or customer records. Today, job applicant data has become an increasingly attractive target for hackers. Resumes, addresses, phone numbers, and Social Security numbers are collected all in one place, creating a treasure trove for identity thieves. For employers, the stakes are high: breaches can expose applicants to fraud while leaving organizations vulnerable to lawsuits, regulatory fines, and reputational damage.

High-profile breaches in 2025 illustrate the vulnerability of applicant information. In June, security researchers discovered that McDonald’s AI hiring chatbot, Olivia, deployed via the McHire platform, was misconfigured. The flaw exposed more than 64 million applicant chat records, including names, email addresses, phone numbers, and chat histories.  Around the same time, recruiting software company TalentHook left a Microsoft Azure Blob storage container unsecured, exposing roughly 26 million resumes that included contact information, employment histories, and educational backgrounds. Even established corporations have faced similar risks. In 2024, Advance Auto Parts confirmed that a third-party provider’s breach exposed personal data of applicants and employees, including Social Security numbers, data that was later offered for sale on the dark web.

These cases highlight a critical point: breaches aren’t always the result of sophisticated hacking. Simple misconfigurations, weak passwords, and inadequate vendor oversight can create massive exposure. Employers may not even realize how much sensitive data they hold, or how vulnerable it is, until a breach occurs.

At the same time, the legal landscape for applicant data has grown more complex. Michigan’s Social Security Number Privacy Act (Act 454 of 2004) still governs how employers can collect, store, and use SSNs. Organizations must maintain written privacy policies, limit access to SSNs, ensure proper disposal, and avoid displaying more than four sequential SSN digits. Other states have added protections, including stricter breach-notification requirements and safeguards for biometric or online account data. Federal regulators, including the FTC, have increased enforcement against companies that misrepresent security practices or fail to take reasonable protective measures.

Given these pressures, employers must rethink what they ask from job applicants and when. Sensitive information is often collected far too early in the process. Some systems use Social Security numbers as identifiers or request banking information before an offer has been made. While convenient, this approach dramatically increases the potential for exposure if a breach occurs.

Experts recommend staging data collection according to the hiring process. Early applications should request only basic information: contact details, education, and work history. Background checks and verification may justify additional identifiers at later stages, while tax forms, banking details, and Social Security numbers should be collected only after a job offer is extended. This approach minimizes the amount of sensitive data stored at any one time.

Candidates are noticing, too. Studies show that long, intrusive applications lead to higher abandonment rates. Applicants are increasingly wary of sharing sensitive data, and organizations that respect privacy often see higher completion rates and a stronger employer brand. Streamlined applications that collect only what is necessary at each stage not only reduce risk but also improve the candidate experience.

Practical Steps for Employers

Employers can take several actions to reduce the risk of a breach:

• Limit data collection: Ask only for the information needed at each stage of the hiring process. Avoid requesting Social Security numbers, banking details, or sensitive identifiers until absolutely necessary.
• Implement strict access controls: Restrict who can view applicant data. Use role-based permissions and require multi-factor authentication for systems storing sensitive information.
• Audit systems regularly: Conduct periodic audits of in-house and third-party platforms to identify misconfigurations, outdated software, or potential vulnerabilities.
• Train staff: Educate HR teams, recruiters, and managers on best practices for handling applicant data, emphasizing that small lapses can have large consequences.
• Maintain clear privacy policies: Document how applicant information is collected, stored, and disposed of. Ensure compliance with federal and state regulations.
• Have a breach response plan: Prepare for potential incidents with a formal plan to contain breaches, notify affected applicants promptly, and offer remediation such as credit monitoring if appropriate.

The risks of collecting excessive information are not just hypothetical. Exposed data can fuel identity theft and financial fraud, while employers face the potential for fines, lawsuits, and long-term reputational harm. The question for organizations isn’t how much they can collect – it’s how much they truly need. By limiting data collection, securing what is collected, and maintaining transparent policies, employers can protect both applicants and themselves. In today’s environment, where hackers actively seek weak points in hiring systems, the safest strategy is simple: gather less, protect more.

ASE Connect

SensCy: ASE and SensCy partner to provide ASE members with access to their comprehensive cybersecurity solutions tailored to meet the unique challenges facing small and medium-sized organizations today. Through their hands-on guided support, employee training, and complimentary cybersecurity assessments, ASE members have an opportunity to address and improve the cyber health of their organization with SensCy's comprehensive and trusted solution. For more information, contact Dana Weidinger. Book a time for your complimentary SensCy cybersecurity assessment here.

Sources IT Pro; LegalClarity; Michigan Legislature; Wired