The server held the resumes of job applicants spanning 2014 and 2017, and included private information such as phone numbers, home addresses, email addresses and prior work experience. TechCrunch reviewed many of the documents and reported that most of those impacted were located in the United States.
While there’s no set number on how many users were affected, one folder from May 2017 contained thousands of resumes.
A statement by Monster’s chief privacy officer, Michael Jones, said the server was owned by an unnamed recruitment customer that Monster no longer works with. Even after multiple requests, Monster declined to name the customer.
“The Monster Security Team was made aware of a possible exposure and notified the recruitment company of the issue,” the company said.
Although Monster said it secured the exposed server soon after it was discovered in August, it never notified users of the breach. In fact, it didn’t admit to the incident until a security researcher alerted TechCrunch of it.
“Customers that purchase access to Monster’s data — candidate resumes and CVs — become the owners of the data and are responsible for maintaining its security,” the company said. “Because customers are the owners of this data, they are solely responsible for notifications to affected parties in the event of a breach of a customer’s database.”
Local data breach notification laws state that companies need to notify state attorneys general when large numbers of users are affected. While Monster technically does not have to disclose anything to regulators, some companies will still warn their users of an exposure.
However, Monster said because the exposure took place on a customer system, the company is “not in a position” to identify or confirm affected users.