IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Monster.com job seeker data exposed in third-party leak

Unprotected server contained CVs from between 2014 and 2017

A web server storing the CVs of job seekers, including those from recruitment site Monster, has been discovered online.

While exact numbers are not known, the CVs include job applicants from 2014 to 2017, with those effected potentially running into the tens of thousands. The CVs contain private information such as addresses, phones numbers, email address and work history.

According to a report by TechCrunch, a statement by Monster's chief privacy officer Michael Jones said the server was owned by an unnamed recruitment customer, which it no longer works with.

Jones said that his firm's security team "was made aware of a possible exposure and notified the recruitment company of the issue". The company added that the server was secured in August.

"Customers that purchase access to Monster's data - candidate rsums and CVs - become the owners of the data and are responsible for maintaining its security," the statement added. "Because customers are the owners of this data, they are solely responsible for notifications to affected parties in the event of a breach of a customer's database."

The majority of the CVs appeared to belong to users in the US, but trove could also include users in the EU, suggesting that regulatory action from European data protection authorities operating under GDPR could be on the horizon.

While data is not directly accessible, private information could be found in caches of search engines.

Erich Kron, security awareness advocate for KnowBe4, told IT Pro that this is a lesson in how data can spread without people being aware of it.

"In this case, when we put our job history, resume and/or CV on these types of sites, we should assume that organisations are going to collect them as they review and use them for job considerations. Where things get murky is what happens with the information after it is used, and ensuring it was used in a proper manner in the first place. Currently, in the US, people are often completely unaware when data is processed by a third party. This is something that GDPR is designed to address," he said.

"While the potential leak should not have taken place at all, the third party did respond in a timely manner and fixed the problem," added Kron. "Unfortunately, many organisations have not considered how to deal with events like this and therefore lack the policies and procedures to deal with them quickly and efficiently."

Back in 2009, Monster's UK site was hit by a direct hack on its systems that led to the theft of data belonging to 4.5 million users, considered at the time to have been the largest data breach in UK history.

Featured Resources

Four strategies for building a hybrid workplace that works

All indications are that the future of work is hybrid, if it's not here already

Free webinar

The digital marketer’s guide to contextual insights and trends

How to use contextual intelligence to uncover new insights and inform strategies

Free Download

Ransomware and Microsoft 365 for business

What you need to know about reducing ransomware risk

Free Download

Building a modern strategy for analytics and machine learning success

Turning into business value

Free Download

Most Popular

16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

13 May 2022
Russian hackers declare war on 10 countries after failed Eurovision DDoS attack
hacking

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack

16 May 2022
(ISC)2 launches free scheme to get 100,000 UK citizens into cyber security
Careers & training

(ISC)2 launches free scheme to get 100,000 UK citizens into cyber security

17 May 2022