Monster.com’s latest data breach serves as a reminder that online job boards remain under attack from hackers, and that security incidents raise thorny questions about disclosure.
Observers say New York-based Monster Worldwide, which reported a database intrusion in late January, is not the only recruiting Web site that faces such troubles.
“I am familiar with a number of breaches” at job boards, said recruiting analyst Gerry Crispin. “There’s no one that’s immune.”
Crispin gave Monster credit for announcing the recent incident, which follows a major breach at the job board giant in summer 2007. But he faults Monster for failing to say when it expects to complete a probe of the matter. Leaving the public uncertain about when details of the breach may be available gives rise to speculation, he said.
On the other hand, Monster’s limited disclosures about the incident may stem from fear that saying too much would play into computer thieves’ hands, said recruiting consultant Peter Weddle. In other words, information about the attack could serve as “intelligence to people who are going to do it again and again and again,” he said.
Monster announced the breach January 23, saying it recently learned its database was illegally accessed. Certain contact and account data were taken, the company said, including user IDs and passwords, e-mail addresses, names, phone numbers and some demographic data. Monster said the information accessed does not include résumés.
“Monster does not generally collect—and the accessed information does not include—sensitive data such as Social Security numbers or personal financial data,” Patrick Manzo, Monster’s global chief privacy officer, added in a statement.
Monster says on its Web site that it “cannot disclose specific details of the situation because we need to protect the integrity of our security systems and our ongoing inquiry into this situation.”
Monster spokeswoman Nikki Richardson said the breach affected Monster sites in Western Europe and North America. She said it did not affect “non-career” Monster sites such as Military.com.
Richardson said Monster’s probe into the breach “will take as long as it takes.”
The breach also touched USAJobs, the federal government’s official jobs site. Monster provides technology for the site, which has 8 million registered users.
Security alerts mentioning the breach appeared at both USAJobs.gov and Monster.com. The alerts warned users about “phishing” e-mails, which are phony messages that attempt to solicit sensitive information or otherwise take advantage of a computer user. Monster.com and USAJobs.gov users also were told they may be required to change their passwords upon logging on to the sites.
Monster announced the attack the same month it launched a new version of its Web site. The new launch contained at least one glitch. Text on the home page didn’t align properly when viewed with a version of the Windows Internet Explorer Web browser. By Tuesday, February 10, that problem appeared to be fixed.
Monster said that in the 2007 incident, employer client login credentials had been compromised and used to download information such as names, home addresses, phone numbers and e-mail addresses for 1.3 million job seekers with résumés posted on Monster.com. After the breach, Monster said it upgraded its security through such steps as implementing new user authentication technology.
Lack of detail about the recent breach makes it impossible to know whether the job board was hit by an easy-to-defend attack or a sophisticated one that was virtually impossible to stop, said Jeremiah Grossman, chief technology officer at Web site security firm WhiteHat Security.
“The hope is Monster would reveal more in the future about what happened and what steps Monster is taking to calm any fears consumers may have,” Grossman said.
By —Ed Frauenheim