[BreachExchange] Monster Defends Data Leak Response

[Destry Winant]

https://www.infosecurity-magazine.com/news/monster-defends-data-leak-response/

Sensitive personal data uploaded to a popular recruitment site has
been found exposed on an unsecured web server after a third-party
client failed to keep it secure.

Reports emerged late last week that résumés and other documents
belonging to an undisclosed number of job-seekers were found
unprotected on the internet by a security researcher: the latest in a
long line of privacy snafus.

However, although some were identified as having been posted to
Monster, the jobs site clarified that the issue was actually the fault
of one of its customers.

“We alerted the customer and the customer immediately resolved the
issue,” said the firm’s chief privacy officer, Michael Jones, in a
statement sent to Infosecurity. “As a result of this incident, we have
terminated the customer’s contract.”

He went on to explain why Monster should not be held responsible for
the incident.

“We understand that people are concerned about data breaches and the
discomfort they bring. For that reason, breach notifications require
identifying the individuals and data that were affected, identifying
the cause of the breach, and describing actions taken to prevent
future breaches,” the statement continued.

“As the exposure occurred on a customer system, and involved customer
data obtained from multiple sources, we were not able to identify
affected individuals or affected information.”

The GDPR was designed in part to create more clarity on such issues of
accountability and transparency, although it’s not clear whether any
of those individuals affected were EU citizens.

“This is a lesson in how data can spread without people being aware of
it. In this case, when we put our job history and résumés/CVs on these
types of sites, we should assume that organizations are going to
collect them as they review and use them for job considerations,”
argued Erich Kron, security awareness advocate for KnowBe4.

“Where things get murky is what happens with the information after it
is used, and ensuring it was used in a proper manner in the first
place. Currently, in the US, people are often completely unaware when
data is processed by a third party. This is something that GDPR is
designed to address.”

Monster’s Jones claimed user privacy is one of the firm’s top priorities.

“To that end, Monster actively discourages candidates and job seekers
from sharing information they consider sensitive,” he concluded.

It could be argued that even innocuous-seeming information on a CV or
résumé could be used by crafty hackers to phish candidates for more
info.