Security & Fraud

Monster: Job Seekers’ Resumes Were Exposed Online was the victim of a data breach caused by an exposed web server, but failed to inform users about the incident.

The server held the resumes of job applicants spanning 2014 and 2017, and included private information such as phone numbers, home addresses, email addresses and prior work experience. TechCrunch reviewed many of the documents and reported that most of those impacted were located in the United States.

While there’s no set number on how many users were affected, one folder from May 2017 contained thousands of resumes.

A statement by Monster’s chief privacy officer, Michael Jones, said the server was owned by an unnamed recruitment customer that Monster no longer works with. Even after multiple requests, Monster declined to name the customer.

“The Monster Security Team was made aware of a possible exposure and notified the recruitment company of the issue,” the company said.

Although Monster said it secured the exposed server soon after it was discovered in August, it never notified users of the breach. In fact, it didn’t admit to the incident until a security researcher alerted TechCrunch of it.

“Customers that purchase access to Monster’s data — candidate resumes and CVs — become the owners of the data and are responsible for maintaining its security,” the company said. “Because customers are the owners of this data, they are solely responsible for notifications to affected parties in the event of a breach of a customer’s database.”

Local data breach notification laws state that companies need to notify state attorneys general when large numbers of users are affected. While Monster technically does not have to disclose anything to regulators, some companies will still warn their users of an exposure.

However, Monster said because the exposure took place on a customer system, the company is “not in a position” to identify or confirm affected users.


Featured PYMNTS Study:

More than 63 percent of merchant service providers (MSPs) want to overhaul their core payment processing systems so they can up their value-added services (VAS) game. It’s tough, though, since many of these systems date back to the pre-digital era. In the January 2020 Optimizing Merchant Services Playbook, PYMNTS unpacks what 200 MSPs say is key to delivering the VAS agenda that is critical to their success.