Personal details from resumes and CVs from job seekers were exposed after a server belonging to a recruitment company that was a customer of Monster.com and others was left unprotected.
Monster.com which learned of the breach in August, did not initially alert potential victims to the exposure, contending that notification responsibly lay with the recruitment company that "owned" the data.
"Customers that purchase access to Monster’s data — candidate résumés and CVs — become the owners of the data and are responsible for maintaining its security," Monster Chief Privacy Officer (CPO) Michael Jones said in a statement cited by TechCrunch. "Because customers are the owners of this data, they are solely responsible for notifications to affected parties in the event of a breach of a customer’s database."
Jones said it contacted the recruitment company it first became aware of the exposed server, which was secured soon thereafter.
"In today’s era of growing privacy regulations, how companies react in the wake of a data breach is critical, said Peter Goldstein, CTO and co-founder of Valimail.
Indeed, "Monster might have paid careful attention to their internal security practices, but still the data that they are responsible for has been exposed," said Pankaj Parekh, chief product and strategy officer at SecurityFirst. "This is obviously not an acceptable excuse to those whose private information was exposed."
While "Monster shrugs its sloping shoulders," European regulators might not be so blaise about the leak, Lucy Security CEO Colin Bastable said. "Of course, Monster’s Ts and Cs – terms and conditions – may leave them without liability. Let’s see how the EU treats this."
Information exposed included work history, phone numbers, email addresses and home addresses on resumes submitted between 2014 and 2017.
"The exposed resumes give cybercriminals more than enough data to commit phishing attacks and effective impersonation attempts, which can lead to account takeover, identity theft and other scams," said Goldstein. "And the fact that criminals know these individuals are on the job hunt means their social engineering attacks can be highly tailored and therefore all the more convincing to their victims."
He contended that "Monster may not have been required to notify regulators in this specific situation," but an organisation’s "best practices (and in some cases GDPR regulations) dictate that companies notify the customers impacted by a breach."
Users continue to get the short end of the stick and Bastable suggests maybe it’s time for the data-sharing model to change. "Why would anyone trust any business with their data when it is being pimped out like this?" said Bastable. "At least give people a slice of the action when you sell their data."
This article was originally published on SC Media US.