Home / Blogs

Monster.com Response to Security Breach Unacceptable

Mike Dailey

As some of us are continuing to learn this week the Monster.com service has again been successfully hacked. According to a security bulletin posted on Monster.com on January 23rd, 2009, the intruder gained access to the user database, while no resumes were apparently compromised. According to Monster.com:

"As is the case with many companies that maintain large databases of information, Monster is the target of illegal attempts to access and extract information from its database. We recently learned our database was illegally accessed and certain contact and account data were taken, including Monster user IDs and passwords, email addresses, names, phone numbers, and some basic demographic data. The information accessed does not include resumes."

As a user of Monster.com what I find incredibly upsetting about this situation is that I had to find out about this through a security blog. It has been well over 72 hours since this security incident was disclosed and I have received no direct notification from Monster.com that my personally identifiable information had been accessed without authorization. Since this is the second such security breach Monster.com has experienced in as many years I find it unbelievable and disheartening that Monster.com chose not to actively communicate the issue to their customers, instead waiting passively for us to visit the Monster.com site in hopes that the obscure little security notice on the right side of the web page would attract our attention to the matter.

When a for-profit web service such as Monster.com accepts and takes responsibility for the personally identifiable data of their customers they become wholly responsible for protecting those assets. Putting aside for a moment the separate issue of how the hacker gained access to our information (this alone is entirely unacceptable since it is the third security breach of Monster.com that I am aware of), the lax nature in which Monster.com is responding to the issue should be viewed by the public as an egregious and insulting lack of concern for the wellbeing of their customers.

Monster.com owes their customer base, as well as the public in general, an explanation as to how this breach was permitted to occur and why a more direct and timely notification to their customers has not taken place. To offer anything less should be considered unacceptable by us all.

I have changed my password on Monster.com and urge fellow Monster.com users to do the same. I have not yet, however, made up my mind as to whether or not I will continue to entrust my information to a company that in my opinion is demonstrating such little regard for the online safety and security of their customers.

By Mike Dailey, IT Architect and Sr. Network Engineer
Follow CircleID on
SHARE THIS POST

If you are pressed for time ...

... this is for you. More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Vinton Cerf, Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Share your comments

You crack me up. Matthew Elvey  –  Jan 28, 2009 10:56 PM PDT

You're complaining about 72 hours!

When TD Ameritrade was broken into, it took them 2 YEARS (over 17,000 hours) to notify their 6.3 million customers that a database containing their SOCIAL SECURITY NUMBERS and ACCOUNT BALANCES among other things, had been ransacked.

It also took a lawsuit (which I filed - see my blog) and the threat of a looming injunction!

But you're right; legislation is needed that requires such notification.  California's law doesn't consider the data you said was taken as the kind of "Personal Information" that triggers a mandatory disclosure.  Perhaps another state has a better breach notification law.

RE: You crack me up. Mike Dailey  –  Jan 29, 2009 7:44 AM PDT

I understand your point on the 72 hours, Matthew, but the expectation should be immediate notification.  Just because it took another company years to notify their customers isn't an excuse for the next company to do the same.  If Monster.com knows what data was accessed then they know which users were affected and should be capable of notifying those users with little delay.  After all, if a spammer can generate millions of emails every day isn't it logical to assume a legitimate company can do the same?

Thanks for your reply.  You made some very good points.

-Mike D
http://www.daileymuse.com

To post comments, please login or create an account.

Related

Topics

New TLDs

Sponsored byAfilias

Domain Names

Sponsored byVerisign

Whois

Sponsored byWhoisXML API

Cybersecurity

Sponsored byVerisign

DNS Security

Sponsored byAfilias

IP Addressing

Sponsored byAvenue4 LLC

Cybercrime

Sponsored byThreat Intelligence Platform