Experts Dots On Monster.com Partner Exposes Resumes And CVs For Applicants From 2014 Through 2017

Amidst reports that an exposed web server storing résumés of job seekers — including from recruitment site Monster — has been found online. The relative numbers are small compared to other breaches, but Monster.com is a known consumer-facing brand.
The server contained résumés and CVs for job applicants spanning between 2014 and 2017, many of which included private information like phone numbers and home addresses, but also email addresses and a person’s prior work experience. Of the documents we reviewed, most users were located in the United States.

EXPERTS COMMENTS
Pankaj Parekh, Chief Product and Strategy Officer ,  SecurityFirst
September 09, 2019
This is obviously not an acceptable excuse to those whose private information was exposed.
Once again we see a data breach due to the actions, or inactions, of a third party. Monster might have paid careful attention to their internal security practices, but still the data that they are responsible for has been exposed. This is obviously not an acceptable excuse to those whose private information was exposed. A better solution is needed – in which the data is secured even after it’s been passed to a third party. And regulations should be tightened – so that even if a third party causes a breach, the original collector of the data (Monster) should be required to report it.
Colin Bastable, CEO ,  Lucy Security
September 09, 2019
Monster shrugs its sloping shoulders, but this is important data that it has profiteered from.
Once again, third party risk is shown to be the great cybersecurity risk multiplier. But this case should serve as a wake-up call to every consumer – our data is not our own. Aggregated data is being traded for massive profits, and like mortgages and other debt, it is packaged and sold with no come-back. Monster washes its hands of responsibility for your data security the moment it sells it - “Customers that purchase access to Monster’s data — candidate résumés and CVs — become the owners of the data and are responsible for maintaining its security,” the company said. Why would anyone trust any business with their data when it is being pimped out like this? At least give people a slice of the action when you sell their data. Monster shrugs its sloping shoulders, but this is important data that it has profiteered from. Bad actors can use resume information to phish, to impersonate, to build socially-engineered attacks on past, present and future employers, on colleagues and on the poor saps who trusted Monster. Of course, Monster’s Ts and Cs - terms and conditions - may leave them without liability. Let’s see how the EU treats this.
Pierluigi Stella, CTO,  Network Box USA
September 09, 2019
It can so easily be (mis)read as though it were Monster themselves who lost the data, which they didn’t.
I must admit, Monster isn’t wrong here. They aren’t the ones who lost the data, so why should they be on the hook for the notification - which costs money and, far worse, discredits them in the minds of users. I imagine the users are very confused. It can so easily be (mis)read as though it were Monster themselves who lost the data, which they didn’t. So why are we expecting them to undertake the notification process? The Monster client (namely recruiters) should be held accountable for that. Not them. The type of data stolen, btw, doesn’t seem too concerning - phone number and address. How many times have we lost that data already anyway in other precocious leaks? For instance, Texas.gov was hacked some time ago. How much of that information was already stolen? If anyone still thinks their data hasn’t been stolen, they are either delusional, been living under a rock for the past several years, or they simply don’t use anything of the modern world - no credit cards, no iPhone, no computer, no internet. Maybe, just maybe, that way your identity could remain safe. Otherwise, you’d better believe that your data’s already out there, on the dark web, and any new hack like this one only serves to remind us that our life is no longer private; that all our data has already been stolen.
Paul Bischoff, Privacy Advocate,  Comparitech
September 09, 2019
Sending out a simple notification would go a long way in protecting users and allowing them to take appropriate action.
Monster's refusal to warn customers about a known data breach involving data it collected is irresponsible. Even though the data was exposed by a third party, Monster ought to do what it can to protect its users and not just attempt to absolve itself of responsibility. Sending out a simple notification would go a long way in protecting users and allowing them to take appropriate action. Those same customers might disregard such a notification from the third party who actually leaked the data, because they never had any direct interaction. This case goes to show that even if you trust a company to which you give information, you might not trust other companies with whom the information is shared. I suspect very few affected Monster users were aware their information was being shared with third parties.
Erich Kron, Security Awareness Advocate,  KnowBe4
September 08, 2019
Currently, in the US, people are often completely unaware when data is processed by a third party.
This is a lesson in how data can spread without people being aware of it. In this case, when we put our job history, resume and/or CV on these types of sites, we should assume that organizations are going to collect them as they review and use them for job considerations. Where things get murky is what happens with the information after it is used, and ensuring it was used in a proper manner in the first place. Currently, in the US, people are often completely unaware when data is processed by a third party. This is something that GDPR is designed to address. While the potential leak should not have taken place at all, the third party did respond in a timely manner and fixed the problem. Unfortunately, many organizations have not considered how to deal with events like this and therefore lack the policies and procedures to deal with them quickly and efficiently.
Matan Or-El, Co-Founder and CEO,  Panorays
September 08, 2019
Companies provide customers with the right to opt out of selling their personal information to third parties.
The data exposure incident involving Monster.com illustrates precisely the situation that privacy regulations are attempting to address. While Monster.com noted that they are not responsible for data sold to third parties, the California Consumer Privacy Act will require that companies provide customers with the right to opt out of selling their personal information to third parties. Once CCPA goes into effect, failing to provide customers with this right will undoubtedly result in substantial penalties. For this reason, companies are increasingly realizing that they must put processes in place to manage the collection and sharing of data, as well as assess and continuously monitor the third-parties that have access to that data.
Peter Goldstein, CTO and Co-founder,  Valimail
September 08, 2019
Companies must inform those impacted so as to minimize the possibility of them falling victim to future attacks.
In today’s era of growing privacy regulations, how companies react in the wake of a data breach is critical. While Monster may not have been required to notify regulators in this specific situation, best practices (and in some cases GDPR regulations) dictate that companies notify the customers impacted by a breach. The exposed resumes give cyber criminals more than enough data to commit phishing attacks and effective impersonation attempts, which can lead to account takeover, identity theft and other scams. And the fact that criminals know these individuals are on the job hunt means their social engineering attacks can be highly tailored and therefore all the more convincing to their victims. Companies must take more proactive measures to keeping customer data secure and protected, and in the event of a breach, they must inform those impacted so as to minimize the possibility of them falling victim to future attacks
George Wrenn, Founder and CEO,  CyberSaint Security
September 08, 2019
Managing third-party vendors has become a leading concern for all businesses, especially internet-based companies.
Managing third-party vendors has become a leading concern for all businesses, especially internet-based companies. Given that organizations are implementing more and more third-party technologies, these purchases often outpace the level of assessment that is necessary to gauge a vendor's cybersecurity posture. Businesses must seek out solutions that streamline and integrate vendor risk alongside their internal assessments of cybersecurity risk and compliance. CISOs need to look holistically at cyber risk management and view vendor risk as paramount to their risk posture as their own internal cybersecurity practices.
Bryan Becker, DAST Product Manager and Security Researcher,  WhiteHat Security
September 08, 2019
Organisations should start taking steps now to manage sensitive data shared with third parties.
This is a tough challenge for companies that hold customer private data. Monster shared the data with a third party (a recruiter), who then leaked it. Legislation like GDPR, or the California Consumer Privacy Act, will help mitigate this issue by placing the responsibility on the data controller (Monster) to make sure the recipients of that data handle it responsibly. It is likely we will see more legislation in this area as we go into the future, but until then, organisations should start taking steps now to manage sensitive data shared with third parties, at least just to prevent damage to their reputation when situations like this one happen.
Erich Kron, Security Awareness Advocate,  KnowBe4
September 06, 2019
Unfortunately, many organisations have not considered how to deal with events.
This is a lesson in how data can spread without people being aware of it. In this case, when we put our job history, resume and/or CV on these types of sites, we should assume that organisations are going to collect them as they review and use them for job considerations. Where things get murky is what happens with the information after it is used, and ensuring it was used in a proper manner in the first place. Currently, in the US, people are often completely unaware when data is processed by a third party. This is something that GDPR is designed to address. While the potential leak should not have taken place at all, the third party did respond in a timely manner and fixed the problem. Unfortunately, many organisations have not considered how to deal with events like this and therefore lack the policies and procedures to deal with them quickly and efficiently.
Vinay Sridhara, CTO,  Balbix
September 06, 2019
Organizations must implement security solutions that scan and monitor not just the organization-owned and managed assets.
The personally identifiable information (PII) typically found on a résumé can lead to account hijacking and highly targeted phishing attacks if it falls into the wrong hands. In fact, a threat actor can have password reset codes sent to a compromised phone number or email for far more sensitive accounts – both personal and professional. Organizations must implement security solutions that scan and monitor not just the organization-owned and managed assets, but also all third-party systems to detect vulnerabilities that could be exploited. Proactively identifying and addressing vulnerabilities that would put them at risk before they become entry points for attackers is the only way to stay ahead of breaches and avoid fines from data privacy laws.

Join the Conversation

Join the Conversation


In this article