As some of us are continuing to learn this week the Monster.com service has again been successfully hacked. According to a security bulletin posted on Monster.com on January 23rd, 2009, the intruder gained access to the user database, while no resumes were apparently compromised. According to Monster.com:
"As is the case with many companies that maintain large databases of information, Monster is the target of illegal attempts to access and extract information from its database. We recently learned our database was illegally accessed and certain contact and account data were taken, including Monster user IDs and passwords, email addresses, names, phone numbers, and some basic demographic data. The information accessed does not include resumes."
As a user of Monster.com what I find incredibly upsetting about this situation is that I had to find out about this through a security blog. It has been well over 72 hours since this security incident was disclosed and I have received no direct notification from Monster.com that my personally identifiable information had been accessed without authorization. Since this is the second such security breach Monster.com has experienced in as many years I find it unbelievable and disheartening that Monster.com chose not to actively communicate the issue to their customers, instead waiting passively for us to visit the Monster.com site in hopes that the obscure little security notice on the right side of the web page would attract our attention to the matter.
When a for-profit web service such as Monster.com accepts and takes responsibility for the personally identifiable data of their customers they become wholly responsible for protecting those assets. Putting aside for a moment the separate issue of how the hacker gained access to our information (this alone is entirely unacceptable since it is the third security breach of Monster.com that I am aware of), the lax nature in which Monster.com is responding to the issue should be viewed by the public as an egregious and insulting lack of concern for the wellbeing of their customers.
Monster.com owes their customer base, as well as the public in general, an explanation as to how this breach was permitted to occur and why a more direct and timely notification to their customers has not taken place. To offer anything less should be considered unacceptable by us all.
I have changed my password on Monster.com and urge fellow Monster.com users to do the same. I have not yet, however, made up my mind as to whether or not I will continue to entrust my information to a company that in my opinion is demonstrating such little regard for the online safety and security of their customers.
By Mike Dailey, IT Architect and Sr. Network Engineer. Visit the blog maintained by Mike Dailey here.
Related topics: Cyberattack, Cybercrime, Security
To post comments, please login or create an account.
MobileSponsored bydotMobi | |
DNS SecuritySponsored byAfilias | |
DNSSponsored byNeustar UltraDNS | |
IPv6Sponsored byNominum | |
SecuritySponsored byVerisign | |
Top-Level DomainsSponsored byMinds + Machines |
You're complaining about 72 hours!
When TD Ameritrade was broken into, it took them 2 YEARS (over 17,000 hours) to notify their 6.3 million customers that a database containing their SOCIAL SECURITY NUMBERS and ACCOUNT BALANCES among other things, had been ransacked.
It also took a lawsuit (which I filed - see my blog) and the threat of a looming injunction!
But you're right; legislation is needed that requires such notification. California's law doesn't consider the data you said was taken as the kind of "Personal Information" that triggers a mandatory disclosure. Perhaps another state has a better breach notification law.
I understand your point on the 72 hours, Matthew, but the expectation should be immediate notification. Just because it took another company years to notify their customers isn't an excuse for the next company to do the same. If Monster.com knows what data was accessed then they know which users were affected and should be capable of notifying those users with little delay. After all, if a spammer can generate millions of emails every day isn't it logical to assume a legitimate company can do the same?
Thanks for your reply. You made some very good points.
-Mike D
http://www.daileymuse.com