Content

Monster.com job applicants info exposed on unprotected server

Personal details from resumes and CVs from job seekers were exposed after a server belonging to a recruitment company that was a customer of Monster.com and others was left unprotected.

Monster.com which learned of the breach in August, did not initially alert potential victims to the exposure, contending that notification responsibly lay with the recruitment company that “owned” the data.

“Customers that purchase access to Monster’s data — candidate résumés and CVs — become the owners of the data and are responsible for maintaining its security,” Monster Chief Privacy Officer (CPO) Michael Jones said in a statement cited by TechCrunch. “Because customers are the owners of this data, they are solely responsible for notifications to affected parties in the event of a breach of a customer’s database.”

Jones said it contacted the recruitment company it first became aware of the exposed server, which was secured soon thereafter.

“In today’s era of growing privacy regulations, how companies react in the wake of a data breach is critical, said Peter Goldstein, CTO and co-founder of Valimail.

Indeed, “Monster might have paid careful attention to their internal security practices, but still the data that they are responsible for has been exposed,” said Pankaj Parekh, chief product and strategy officer at SecurityFirst. “This is obviously not an acceptable excuse to those whose private information was exposed.”

While “Monster shrugs its sloping shoulders,” European regulators might not be so blaise about the leak, Lucy Security CEO Colin Bastable said. “Of course, Monster’s Ts and Cs - terms and conditions -  may leave them without liability. Let’s see how the EU treats this.”

Information exposed included work history, phone numbers, email addresses and home addresses on resumes submitted between 2014 and 2017.

“The exposed resumes give cybercriminals more than enough data to commit phishing attacks and effective impersonation attempts, which can lead to account takeover, identity theft and other scams,” said Goldstein. “And the fact that criminals know these individuals are on the job hunt means their social engineering attacks can be highly tailored and therefore all the more convincing to their victims.”

He contended that “Monster may not have been required to notify regulators in this specific situation,” but an organization’s “best practices (and in some cases GDPR regulations) dictate that companies notify the customers impacted by a breach.”

Users continue to get the short end of the stick and Bastable suggests maybe it’s time for the data-sharing model to change. “Why would anyone trust any business with their data when it is being pimped out like this?” said Bastable. “At least give people a slice of the action when you sell their data.”

Related

DevSecOps Scanning Challenges & Tips

There are many ways to do DevSecOps, and each organization — each security team, even — uses a different approach. Questions such as how many environments you have and the frequency of deployment of those environments are important in understanding how to integrate a security scanner into your DevSecOps machinery. The ultimate goal is speed […]

It Should Be ‘Cybersecurity Culture Month’

It’s Cybersecurity Awareness Month, but security awareness is about much more than just dedicating a month to a few activities. Security awareness is a journey, requiring motivation along the way. And culture. Especially culture.That’s the point Proofpoint Cybersecurity Evangelist Brian Reed drove home in a recent appearance on Business Security Weekly.“If your security awareness program […]

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds