This story has been updated.
A security flaw on Metro’s Web site could have revealed personal information about people applying for jobs with the transit agency.
Metro’s jobs page had a “refer a friend” feature allowing visitors to e-mail an opening to another person. If you knew the e-mail address of someone who had applied to a Metro job in the past, you could enter it there and, eventually, access applicant profiles.
The breach was first reported on Thursday by WJLA.
Metro took down the “refer a friend” feature shortly after WJLA alerted it to the problem on Wednesday afternoon, said Metro spokeswoman Caroline Lukas.
These profiles could have included names, addresses and phone numbers, but they didn’t contain Social Security numbers or other personal information, Lukas said.
The “refer a friend” feature had been active for about two months. WJLA reported that it was able to access the information of a current Metro employee. There are 13 current Metro employees who could have had their information seen, Lukas said.
“The potential risk was small, because an individual would need to (a) know that the issue existed and (b) the personal email address of a previous applicant,” Dan Stessel, Metro’s chief spokesman, said in an e-mail.
The “refer a friend” feature won’t return to the site until PeopleSoft, the software vendor, fixes the problem, Stessel added.
If you have applied for a job at Metro, we want to hear from you. E-mail us at email@example.com with your contact information.