Experts Dots On Monster.com Partner Exposes Resumes And CVs For Applicants From 2014 Through 2017

Amidst reports that an exposed web server storing résumés of job seekers — including from recruitment site Monster — has been found online. The relative numbers are small compared to other breaches, but Monster.com is a known consumer-facing brand.
The server contained résumés and CVs for job applicants spanning between 2014 and 2017, many of which included private information like phone numbers and home addresses, but also email addresses and a person’s prior work experience. Of the documents we reviewed, most users were located in the United States.

EXPERTS COMMENTS
Pankaj Parekh, Chief Product and Strategy Officer ,  SecurityFirst
September 09, 2019
This is obviously not an acceptable excuse to those whose private information was exposed.
Once again we see a data breach due to the actions, or inactions, of a third party. Monster might have paid careful attention to their internal security practices, but still the data that they are responsible for has been exposed. This is obviously not an acceptable excuse to those whose private information was exposed. A better solution is needed – in which the data is secured even after it’s ....
[Read More >>]
Colin Bastable, CEO ,  Lucy Security
September 09, 2019
Monster shrugs its sloping shoulders, but this is important data that it has profiteered from.
Once again, third party risk is shown to be the great cybersecurity risk multiplier. But this case should serve as a wake-up call to every consumer – our data is not our own. Aggregated data is being traded for massive profits, and like mortgages and other debt, it is packaged and sold with no come-back. Monster washes its hands of responsibility for your data security the moment it sells it ....
[Read More >>]
Pierluigi Stella, CTO,  Network Box USA
September 09, 2019
It can so easily be (mis)read as though it were Monster themselves who lost the data, which they didn’t.
I must admit, Monster isn’t wrong here. They aren’t the ones who lost the data, so why should they be on the hook for the notification - which costs money and, far worse, discredits them in the minds of users. I imagine the users are very confused. It can so easily be (mis)read as though it were Monster themselves who lost the data, which they didn’t. So why are we expecting them to underta ....
[Read More >>]
Paul Bischoff, Privacy Advocate,  Comparitech
September 09, 2019
Sending out a simple notification would go a long way in protecting users and allowing them to take appropriate action.
Monster's refusal to warn customers about a known data breach involving data it collected is irresponsible. Even though the data was exposed by a third party, Monster ought to do what it can to protect its users and not just attempt to absolve itself of responsibility. Sending out a simple notification would go a long way in protecting users and allowing them to take appropriate action. Those same ....
[Read More >>]
Erich Kron, Security Awareness Advocate,  KnowBe4
September 08, 2019
Currently, in the US, people are often completely unaware when data is processed by a third party.
This is a lesson in how data can spread without people being aware of it. In this case, when we put our job history, resume and/or CV on these types of sites, we should assume that organizations are going to collect them as they review and use them for job considerations. Where things get murky is what happens with the information after it is used, and ensuring it was used in a proper manner in th ....
[Read More >>]
Matan Or-El, Co-Founder and CEO,  Panorays
September 08, 2019
Companies provide customers with the right to opt out of selling their personal information to third parties.
The data exposure incident involving Monster.com illustrates precisely the situation that privacy regulations are attempting to address. While Monster.com noted that they are not responsible for data sold to third parties, the California Consumer Privacy Act will require that companies provide customers with the right to opt out of selling their personal information to third parties. Once CCPA goe ....
[Read More >>]
Peter Goldstein, CTO and Co-founder,  Valimail
September 08, 2019
Companies must inform those impacted so as to minimize the possibility of them falling victim to future attacks.
In today’s era of growing privacy regulations, how companies react in the wake of a data breach is critical. While Monster may not have been required to notify regulators in this specific situation, best practices (and in some cases GDPR regulations) dictate that companies notify the customers impacted by a breach. The exposed resumes give cyber criminals more than enough data to commit phishing ....
[Read More >>]
George Wrenn, Founder and CEO,  CyberSaint Security
September 08, 2019
Managing third-party vendors has become a leading concern for all businesses, especially internet-based companies.
Managing third-party vendors has become a leading concern for all businesses, especially internet-based companies. Given that organizations are implementing more and more third-party technologies, these purchases often outpace the level of assessment that is necessary to gauge a vendor's cybersecurity posture. Businesses must seek out solutions that streamline and integrate vendor risk alongside ....
[Read More >>]
Bryan Becker, DAST Product Manager and Security Researcher,  WhiteHat Security
September 08, 2019
Organisations should start taking steps now to manage sensitive data shared with third parties.
This is a tough challenge for companies that hold customer private data. Monster shared the data with a third party (a recruiter), who then leaked it. Legislation like GDPR, or the California Consumer Privacy Act, will help mitigate this issue by placing the responsibility on the data controller (Monster) to make sure the recipients of that data handle it responsibly. It is likely we will see more ....
[Read More >>]
Erich Kron, Security Awareness Advocate,  KnowBe4
September 06, 2019
Unfortunately, many organisations have not considered how to deal with events.
This is a lesson in how data can spread without people being aware of it. In this case, when we put our job history, resume and/or CV on these types of sites, we should assume that organisations are going to collect them as they review and use them for job considerations. Where things get murky is what happens with the information after it is used, and ensuring it was used in a proper manner in th ....
[Read More >>]
Vinay Sridhara, CTO,  Balbix
September 06, 2019
Organizations must implement security solutions that scan and monitor not just the organization-owned and managed assets.
The personally identifiable information (PII) typically found on a résumé can lead to account hijacking and highly targeted phishing attacks if it falls into the wrong hands. In fact, a threat actor can have password reset codes sent to a compromised phone number or email for far more sensitive accounts – both personal and professional. Organizations must implement security solutions that sc ....
[Read More >>]

If you are an expert on this topic:

Dot Your Expert Comments

SUBSCRIBE to alert when new comments are posted on this news. :




In this article