Another day, another major breach of consumer data due to a third-party. Yesterday, a security researcher discovered an exposed web server containing the résumés of job seekers. These résumés also included those from Monster.com, a recruitment site tailored for job-seekers.
According to reports, the exposed server contained an unknown number of résumés and CVs from between 2014 and 2017; a single folder dated to May 2017 contained thousands of résumés. Of course, these job seeker documents contain personally-identifying-information including phone numbers, home addresses, email addresses, and prior work experience.
Additionally, the exposed files included immigration documentation, although Monster.com does not collect this information. The server was removed, but thousands of résumés remain accessible through search engine caches.
The company released a statement attributing the server to a third-party recruitment customer. While Monster.com stated they no longer work with this third-party, they also declined to identify them.
However, Monster.com did not alert users to the data exposure at first; they only admitted to the breach to their users after a security researcher alerted fellow publication TechCrunch. Granted, Monster did not breach the data themselves, but this has led to questions about the responsibility of data collectors after the fact.
According to the company statement “customers that purchase access to Monster’s data—candidate résumés and CVs—become the owners of the data and are responsible for maintaining its security. Because customers are the owners of this data, they are solely responsible for notifications to affected parties in the event of a breach of a customer’s database.”
The company did not have a legal obligation to alert regulators in this case, although it is considered a best practice to do so.
Takeaways from the Monster.com Breach
First and foremost, watch your third-party privileges and data movement. Third-parties possess and often deserve a notorious reputation for exposing and otherwise risking data. In other cases, they may obtain privileges to your data far beyond their role in your enterprise. Make sure you govern your third-parties’ identities to ensure they fit with your cybersecurity policies.
Second, you need to alert users if your enterprise does suffer a security incident that affects them—even if you do not have an obligation. While a data breach can seem damaging, refusing to accept any responsibility can create a worse image. Of course, this may not reflect on Monster itself as it didn’t lose the data, but one of the companies involved must step up in cases of data breaches.
Yet the most important conversation may involve the obligations companies have when selling, purchasing, and storing user data. This conversation only grows in importance by the day, even as we grapple with its implications.
You can work to improve your identity security and permissions controls with our 2019 Identity Management Buyer’s Guide.