[BreachExchange] Monster.com says a third party exposed user data but didn’t tell anyone

[Destry Winant]

https://techcrunch.com/2019/09/05/monster-exposed-user-data-years/

An exposed web server storing résumés of job seekers — including from
recruitment site Monster — has been found online.

The server contained résumés and CVs for job applicants spanning 2014
and 2017, many of which included private information like phone
numbers and home addresses, but also email addresses and a person’s
prior work experience.

Of the documents we reviewed, most users were located in the United States.

It’s not known exactly how many files were exposed, but thousands of
résumés were found in a single folder dated May 2017. Other files
found on the exposed server included immigration documentation for
work, which Monster does not collect.

A company statement attributed to Monster’s chief privacy officer
Michael Jones said the server was owned by an unnamed recruitment
customer, with which it no longer works. When pressed, the company
declined to name the recruitment customer.

“The Monster Security Team was made aware of a possible exposure and
notified the recruitment company of the issue,” the company said,
adding the exposed server was secured shortly after it was reported in
August.

Although the data is no longer accessible directly from the exposed
web server, hundreds of résumés and other documents can be found in
results cached by search engines.

But Monster did not warn users of the exposure, and only admitted user
data was exposed after the security researcher alerted TechCrunch to
the matter.

“Customers that purchase access to Monster’s data — candidate résumés
and CVs — become the owners of the data and are responsible for
maintaining its security,” the company said. “Because customers are
the owners of this data, they are solely responsible for notifications
to affected parties in the event of a breach of a customer’s
database.”

Under local data breach notification laws, companies are obliged to
inform state attorneys general where large numbers of users in their
states are affected. Although Monster is not duty bound to disclose
the exposure to regulators, some companies proactively warn their
users even when third parties are involved.

It’s not uncommon for companies to warn their users of a third-party
breach. Earlier this year after hackers siphoned off millions of
credit cards from third-party payments processor American Medical
Collection Agency, its customers — LabCorp and Quest Diagnostics —
admitted to the security lapse.

Monster said that because the exposure happened on a customer system,
Monster is “not in a position” to identify or confirm affected users.