A server belonging to a recruitment company that was a customer of Monster.com and others was left unprotected causing the exposure of personal details from resumes to CVs from job seekers.
Monster.com was aware of the data breach since August, however, this did not led them to notify potential victims on the exposure, asserting that this was the responsibility of the recruitment company that “owned” the data.
“Customers that purchase access to Monster’s data – candidate resumes and CVs – become the owners of the data and are responsible for maintaining its security”, Monster Chief Privacy Officer (CPO) Michael Jones said in a statement cited by TechCrunch. “Because customers are the owners of this data, they are solely responsible for notifications to affected parties in the event of a breach of a customer’s database.”
Jones also mentioned that they notified the recruitment company after they were aware of the data breach, which was soon secured. “In today’s era of growing privacy regulations, how companies react in the wake of a data breach is critical”, said Peter Goldstein, CTO and co-founder of Valimail.
Indeed, “Monster might have paid careful attention to their internal security practices, but still the data that they are responsible for has been exposed,” said Pankaj Parekh, chief product and strategy officer at SecurityFirst. “This is obviously not an acceptable excuse to those whose private information was exposed.”
While “Monster shrugs its sloppyg shoulders”, European regulators might not be so easy-going about the data leak, Lucy Security CEO Colin Bastable said. “Of course, Monster’s Ts and Cs – terms and conditions – may leave them without liability. Let’s see how the EU treats this.”
Information that were leaked consists of phone number, work history, home addresses, as well as email addresses included on resumes that were submitted from 2014 to 2017.
“The exposed resumes give cybercriminals more than enough data to commit phishing attacks and effective impersonation attempts, which can lead to account takeover, identity theft and other scams,” said Goldstein. “And the fact that criminals know these individuals are on the job hunt means their social engineering attacks can be highly tailored and therefore all the more convincing to their victims.”
He asserted that “Monster may not have been required to notify regulators in this specific situation,” but an organization’s “best practices (and in some cases GDPR regulations) dictate that companies notify the customers impacted by a breach.”
Users are continuously to receive the worst end of a bargain and Bastable suggests maybe it’s time to change the data-sharing model. “Why would anyone trust any business with their data when it is being pimped out like this?” said Bastable. “At least give people a slice of the action when you sell their data.”
As an International key player in Cyber Security services, training and certification provider, Condition Zebra would suggest that companies which hold a lot of user’s data take a significant cyber security measure. It is a MUST for every companies to ensure that they meet General Data Protection Regulation (GDPR) compliance.
These are 3 strategies an organization can use to strengthen their cybersecurity posture.
1. Conduct Penetration Testing Regularly.
Conducting regular security assessment will identify all the flaws and loopholes within the organization that needs to be addressed so the system does not stop functioning or is exploited. Your organization can take advantage of Condition Zebra’s Free Penetration Testing service to find out your system’s cyber security level.
2. Train Your Employees.
Data is the most sensitive part of the organization and that is what cyber criminals target the most. Employees are the first line of organization defense, so it is very important to train them well to make them familiar with the techniques that hackers are using these days in order to prevent such thefts. Condition Zebra offers cyber security trainings to help organizations prepare. Learn more about the training and reach out to our top consultants today.
3. Enforce Password Law.
To secure companies from cyber attacks, using strong passwords is a must. Companies have to make it mandatory for employees to change their password from time to time.
Every organizations (from large to small businesses) can become a victim of cybercrime. Technical controls combined with employee trainings are an effective way to prevent risking your systems to cyber attacks.