Amidst reports that an exposed web server storing résumés of job seekers — including from recruitment site Monster — has been found online. The relative numbers are small compared to other breaches, but Monster.com is a known consumer-facing brand.
The server contained résumés and CVs for job applicants spanning between 2014 and 2017, many of which included private information like phone numbers and home addresses, but also email addresses and a person’s prior work experience. Of the documents we reviewed, most users were located in the United States.
Once again we see a data breach due to the actions, or inactions, of a third party. Monster might have paid careful attention to their internal security practices, but still the data that they are responsible for has been exposed. This is obviously not an acceptable excuse to those whose private information was exposed. A better solution is needed – in which the data is secured even after it’s been passed to a third party. And regulations should be tightened – so that even if a third party causes a breach, the original collector of the data (Monster) should be required to report it.
Once again, third party risk is shown to be the great cybersecurity risk multiplier. But this case should serve as a wake-up call to every consumer – our data is not our own. Aggregated data is being traded for massive profits, and like mortgages and other debt, it is packaged and sold with no come-back.
Monster washes its hands of responsibility for your data security the moment it sells it – “Customers that purchase access to Monster’s data — candidate résumés and CVs — become the owners of the data and are responsible for maintaining its security,” the company said.
Why would anyone trust any business with their data when it is being pimped out like this? At least give people a slice of the action when you sell their data. Monster shrugs its sloping shoulders, but this is important data that it has profiteered from. Bad actors can use resume information to phish, to impersonate, to build socially-engineered attacks on past, present and future employers, on colleagues and on the poor saps who trusted Monster. Of course, Monster’s Ts and Cs – terms and conditions – may leave them without liability. Let’s see how the EU treats this.
I must admit, Monster isn’t wrong here. They aren’t the ones who lost the data, so why should they be on the hook for the notification – which costs money and, far worse, discredits them in the minds of users. I imagine the users are very confused. It can so easily be (mis)read as though it were Monster themselves who lost the data, which they didn’t. So why are we expecting them to undertake the notification process? The Monster client (namely recruiters) should be held accountable for that. Not them.
The type of data stolen, btw, doesn’t seem too concerning – phone number and address. How many times have we lost that data already anyway in other precocious leaks? For instance, Texas.gov was hacked some time ago. How much of that information was already stolen? If anyone still thinks their data hasn’t been stolen, they are either delusional, been living under a rock for the past several years, or they simply don’t use anything of the modern world – no credit cards, no iPhone, no computer, no internet. Maybe, just maybe, that way your identity could remain safe. Otherwise, you’d better believe that your data’s already out there, on the dark web, and any new hack like this one only serves to remind us that our life is no longer private; that all our data has already been stolen.
Monster\’s refusal to warn customers about a known data breach involving data it collected is irresponsible. Even though the data was exposed by a third party, Monster ought to do what it can to protect its users and not just attempt to absolve itself of responsibility. Sending out a simple notification would go a long way in protecting users and allowing them to take appropriate action. Those same customers might disregard such a notification from the third party who actually leaked the data, because they never had any direct interaction.
This case goes to show that even if you trust a company to which you give information, you might not trust other companies with whom the information is shared. I suspect very few affected Monster users were aware their information was being shared with third parties.
This is a lesson in how data can spread without people being aware of it. In this case, when we put our job history, resume and/or CV on these types of sites, we should assume that organizations are going to collect them as they review and use them for job considerations. Where things get murky is what happens with the information after it is used, and ensuring it was used in a proper manner in the first place. Currently, in the US, people are often completely unaware when data is processed by a third party. This is something that GDPR is designed to address.
While the potential leak should not have taken place at all, the third party did respond in a timely manner and fixed the problem. Unfortunately, many organizations have not considered how to deal with events like this and therefore lack the policies and procedures to deal with them quickly and efficiently.