According to a report in Silicon Angle, the resumes are include job applicants from 2014 to 2017 and could potentially total tens of thousands of forms relating to equal numbers of people. It’s not known exactly how many files were exposed, but thousands of résumés were found in a single folder dated May 2017. Other files found on the exposed server included immigration documentation for work, which Monster does not collect. Although the data is no longer accessible directly from the exposed web server, hundreds of résumés and other documents can be found in results cached by search engines.
While the data breach has yet to be fully explained by Monster Worldwide Inc., the news has been reported on TechCrunch, who spoke with the job application website. This report indicates that a server was owned by an unnamed recruitment customer with whom Monster Worldwide Inc. no longer works with. The company states that the server has been secure since August 2019.
Speaking with TechCrunch, Monster’s chief privacy officer Michael Jones said his company was “not in a position” to find and notify affected users, stating: “Customers that purchase access to Monster’s data — candidate résumés and CVs — become the owners of the data and are responsible for maintaining its security. Because customers are the owners of this data, they are solely responsible for notifications to affected parties in the event of a breach of a customer’s database.”
To understand the background context for the data breach, Digital Journal spoke with Peter Goldstein, CTO and co-founder, Valimail. He explains why Monster should let people know about the issue: “In today’s era of growing privacy regulations, how companies react in the wake of a data breach is critical. While Monster may not have been required to notify regulators in this specific situation, best practices (and in some cases GDPR regulations) dictate that companies notify the customers impacted by a breach.”
Goldstein also explains about the seriousness of the issue: “The exposed resumes give cyber criminals more than enough data to commit phishing attacks and effective impersonation attempts, which can lead to account takeover, identity theft and other scams. And the fact that criminals know these individuals are on the job hunt means their social engineering attacks can be highly tailored and therefore all the more convincing to their victims.”
Going forwards, Goldstein says that companies need to be doing more to prevent these types of things from occurring: “Companies must take more proactive measures to keeping customer data secure and protected, and in the event of a breach, they must inform those impacted so as to minimize the possibility of them falling victim to future attacks.”