Monster.com Acknowledges Third-Party Exposed Their User Data

41

An unveiled web server which is collecting résumés of job seekers, including those on the database of recruitment site Monster, has been discovered online.

What Information Was Leaked 

The server held résumés and CVs of job applicants spanning from 2014 to 2017.

Many of these included private information like their phone numbers and home addresses.

It also included email addresses and the applicant’s prior work experience.

Most of the documents that were reviewed were located in the United States.

It is not precisely known how many files were exposed, but there were loads of résumés found in a single folder which was dated May 2017. 

Additional files found on the exposed server involved immigration documentation for work, which Monster does not collect.

When Did Monster.com Get Involved? 

A company report released by Monster.com’s Chief Privacy Officer, Michael Jones, states that a recruitment customer controlled the server with the database. The report also confirmed that the Monster.com doesn’t work with this unnamed recruitment customer. 

When asked, the company refused to name the recruitment customer.

The company said the Monster Security Team was informed about possible exposure and they notified the recruitment company of the issue.

The exposed server was acquired shortly after it was reported in August.

Though the data is no longer available directly from the exposed web server, several résumés and other documents can be found in results stored by search engines.

Monster.com did not alert the users of this exposure and only accepted that the user data was exposed after the security researcher informed about the matter.

According to the company policy, when customers purchase access to Monster’s data, applicant résumés and CVs, they become the owners of the data. This makes them liable for preserving its security.

Since the customers are the owners of this data, they are entirely responsible for notifications to concerned parties in the event of a violation of a customer’s database.

Under the local data violation notification laws, companies are required to notify state attorneys officer where huge numbers of users in their states are affected. 

Although Monster is not duty-bound to reveal the exposure to regulators, some other companies proactively inform their users even when third parties are involved.

It is not unusual for companies to notify their users of a third-party violation.

Monster said that because the exposure occurred on a customer system, Monster is not in a situation to classify or validate the affected users.

SEE ALSOThe Upcoming SaaS Wave – APIs

For more updates and the latest tech news, keep reading iTMunch.