UPDATED 22:53 EST / SEPTEMBER 05 2019

SECURITY

Monster.com user resumes exposed on misconfigured cloud server

A database containing resumes from job seekers including those from recruitment site Monster Worldwide Inc. has been found exposed online in what is likely another case of a misconfigured cloud instance or server.

The exact numbers are not known, but the resumes are said to include job applicants from 2014 to 2017 and could potentially total tens of thousands if not significantly more. The resumes included private information, including addresses, phones numbers, email address and work history.

Monster.com has not publicly disclosed nor discussed the data breach, but a company spokesperson told TechCrunch Thursday that the server was owned by an unnamed recruitment customer it no longer works with. “The Monster Security Team was made aware of a possible exposure and notified the recruitment company of the issue,” the company noted, adding that the server was secured in August.

The resumes were primarily of Monster.com users in the U.S. but may have included users in the European Union, raising questions as to whether the company has breached the EU’s General Data Protection Regulation. Aside from any legal issues, the data in the wrong hands presents a serious risk to users.

“The personally identifiable information typically found on a resume can lead to account hijacking and highly targeted phishing attacks if it falls into the wrong hands,” Vinay Sridhara, chief technology officer of security posture visibility firm Balbix Inc., told SiliconANGLE. “In fact, a threat actor can have password reset codes sent to a compromised phone number or email for far more sensitive accounts – both personal and professional.”

Sridhara added that organizations must implement security solutions that scan and monitor not just the organization-owned and -managed assets, but also all third-party systems.

Colin Bastable, chief executive officer of security awareness training company Lucy Security AG, noted that it’s yet another case of outside parties becoming a “great cybersecurity risk multiplier.” Noting that the exposed data may have been sold by Monster.com to the unnamed third-party, Bastable said Monster “washes its hands of responsibility for your data security the moment it sells it.”

“Why would anyone trust any business with their data when it is being pimped out like this? At least give people a slice of the action when you sell their data,” Bastable said. “Monster shrugs its sloping shoulders, but this is important data that it has profiteered from.”

Pankaj Parekh, chief product and strategy officer at critical data protection company SecurityFirst Corp., was also not impressed by Monster.

“This is obviously not an acceptable excuse to those whose private information was exposed,” Parekh said. “A better solution is needed in which the data is secured even after it’s been passed to a third party. And regulations should be tightened, so that even if a third party causes a breach, the original collector of the data should be required to report it.”

Image: Monster.com

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU