NordVPN Promotion

Home / Blogs

Monster.com Response to Security Breach Unacceptable

As some of us are continuing to learn this week the Monster.com service has again been successfully hacked. According to a security bulletin posted on Monster.com on January 23rd, 2009, the intruder gained access to the user database, while no resumes were apparently compromised. According to Monster.com:

“As is the case with many companies that maintain large databases of information, Monster is the target of illegal attempts to access and extract information from its database. We recently learned our database was illegally accessed and certain contact and account data were taken, including Monster user IDs and passwords, email addresses, names, phone numbers, and some basic demographic data. The information accessed does not include resumes.”

As a user of Monster.com what I find incredibly upsetting about this situation is that I had to find out about this through a security blog. It has been well over 72 hours since this security incident was disclosed and I have received no direct notification from Monster.com that my personally identifiable information had been accessed without authorization. Since this is the second such security breach Monster.com has experienced in as many years I find it unbelievable and disheartening that Monster.com chose not to actively communicate the issue to their customers, instead waiting passively for us to visit the Monster.com site in hopes that the obscure little security notice on the right side of the web page would attract our attention to the matter.

When a for-profit web service such as Monster.com accepts and takes responsibility for the personally identifiable data of their customers they become wholly responsible for protecting those assets. Putting aside for a moment the separate issue of how the hacker gained access to our information (this alone is entirely unacceptable since it is the third security breach of Monster.com that I am aware of), the lax nature in which Monster.com is responding to the issue should be viewed by the public as an egregious and insulting lack of concern for the wellbeing of their customers.

Monster.com owes their customer base, as well as the public in general, an explanation as to how this breach was permitted to occur and why a more direct and timely notification to their customers has not taken place. To offer anything less should be considered unacceptable by us all.

I have changed my password on Monster.com and urge fellow Monster.com users to do the same. I have not yet, however, made up my mind as to whether or not I will continue to entrust my information to a company that in my opinion is demonstrating such little regard for the online safety and security of their customers.

By Mike Dailey, IT Architect and Sr. Network Engineer

Filed Under

Comments

You crack me up. Matthew Elvey  –  Jan 29, 2009 5:56 AM

You’re complaining about 72 hours!

When TD Ameritrade was broken into, it took them 2 YEARS (over 17,000 hours) to notify their 6.3 million customers that a database containing their SOCIAL SECURITY NUMBERS and ACCOUNT BALANCES among other things, had been ransacked.

It also took a lawsuit (which I filed - see my blog) and the threat of a looming injunction!

But you’re right; legislation is needed that requires such notification.  California’s law doesn’t consider the data you said was taken as the kind of “Personal Information” that triggers a mandatory disclosure.  Perhaps another state has a better breach notification law.

RE: You crack me up. Mike Dailey  –  Jan 29, 2009 2:44 PM

I understand your point on the 72 hours, Matthew, but the expectation should be immediate notification. Just because it took another company years to notify their customers isn't an excuse for the next company to do the same. If Monster.com knows what data was accessed then they know which users were affected and should be capable of notifying those users with little delay. After all, if a spammer can generate millions of emails every day isn't it logical to assume a legitimate company can do the same? Thanks for your reply. You made some very good points. -Mike D http://www.daileymuse.com

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

Threat Intelligence

Sponsored byWhoisXML API

DNS

Sponsored byDNIB.com

New TLDs

Sponsored byRadix

IPv4 Markets

Sponsored byIPv4.Global

Brand Protection

Sponsored byCSC

Domain Names

Sponsored byVerisign

Cybersecurity

Sponsored byVerisign

NordVPN Promotion