Leading employment search site Monster.com appears to have been the source of thousands of exposed resumes discovered in a third party data breach last week. While the breach did not contain financial information, the United States-based company has been adamant that it does not have any responsibility to notify end users when a business partner is breached – an attitude that is at odds with privacy regulations in much of the rest of the world, and may have run Monster.com afoul of some state laws.
The extent of the Monster.com breach
The breach exposed thousands of resumes and CVs that originated from Monster.com. These appear to have been posted in 2014 and 2017 specifically; the folder they were found in was entitled “May 2017.”
An unnamed security researcher discovered the breach and contacted Monster.com and TechCrunch. Monster.com did not acknowledge the breach until TechCrunch reporters contacted them about it.
Monster.com chief privacy officer Michael Jones commented that the breached server was owned by a recruitment company that he declined to name. He also stated that Monster.com does not consider itself responsible for reporting third party data breaches as the client “owns the data.”
Though no financial information was exposed, the resumes contained a good deal of data that many people prefer to keep private: home addresses, phone numbers, email addresses and work history. Some immigration status documentation was also found, though that is not believed to have come from Monster.com.
It’s the sort of information that hackers love to have as a source for impersonation-based attacks such as spear phishing and SIM swaps. Hackers also like to use resumes for malware attacks on HR departments using legitimate-looking attachments, which can create a major headache for the hapless victim whose identity was used.
Though Monster.com’s denial of responsibility is legally acceptable under United States federal law, it puts the company at odds with the standard data protection requirements of a number of other nations. For example, the European Union’s General Data Protection Regulation requires a company considered a “data controller” to notify customers about any data breaches that occur with “data processors” that they outsource to. Since Monster.com won’t name the contractor and we do not yet know if European Union residents were included in the breach, it is not yet clear where they stand in terms of these GDPR definitions. However, a key term is that any data the contractor is using must be returned to the data controller or at minimum removed from their systems when the partnership is ended.
While early examination of the resumes indicates that they are mostly from job seekers in the United States, it is possible that some citizens of the European Union were included in the breach. If that is the case, Monster.com could be subject to GDPR reporting requirements. Monster.com may have also already fallen short of some third party data breach notification requirements in individual states. States currently have a patchwork of unique requirements, one of the main reasons behind a recent push for unified federal standards.
As Matan Or-El, co-founder and CEO of Panorays, points out, California’s new “GDPR Lite” laws will soon force Monster.com to allow consumers to opt out of having their personal information sold:
“The data exposure incident involving Monster.com illustrates precisely the situation that privacy regulations are attempting to address. While Monster.com noted that they are not responsible for data sold to third parties, the California Consumer Privacy Act will require that companies provide customers with the right to opt out of selling their personal information to third parties. Once CCPA goes into effect, failing to provide customers with this right will undoubtedly result in substantial penalties. For this reason, companies are increasingly realizing that they must put processes in place to manage the collection and sharing of data, as well as assess and continuously monitor the third-parties that have access to that data.”
Monster.com claims that they cannot identify or confirm the identities of impacted users given that the data was held by a third party. However, they did appear to be able to confirm that the breach had been fixed by the recruitment company even though the company is no longer a client of theirs.
Monster’s hairy data handling history
This is far from the first time that Monster.com has run into issues with data breach reporting. The company has an unfortunate history of sitting on breach notifications that dates back over a decade.
The current incident is reminiscent of one that took place in 2007, when Monster.com was directly attacked by Ukranian hackers who stole resume and contact information for over a million of the site’s users. The company was criticized for waiting for a week to notify customers that were impacted.
The company ran into trouble again in 2009 when a similar attack stole the information of millions more users.
Unlike those attacks, the more recent one potentially did not divulge information to attackers before it was discovered by the security researcher. The potential harm does not change best practices in reporting to customers, however.
As Peter Goldstein, CTO and co-founder of Valimail, observes:
“In today’s era of growing privacy regulations, how companies react in the wake of a data breach is critical. While Monster may not have been required to notify regulators in this specific situation, best practices (and in some cases GDPR regulations) dictate that companies notify the customers impacted by a breach. The exposed resumes give cyber criminals more than enough data to commit phishing attacks and effective impersonation attempts, which can lead to account takeover, identity theft and other scams. And the fact that criminals know these individuals are on the job hunt means their social engineering attacks can be highly tailored and therefore all the more convincing to their victims. Companies must take more proactive measures to keeping customer data secure and protected, and in the event of a breach, they must inform those impacted so as to minimize the possibility of them falling victim to future attacks.”
Should Monster.com be held accountable for a third party data breach?
The argument that Monster.com makes is not completely without merit. If the customer provides the company with personal data knowing that the company will sell it, the company has only so much control over (and thus responsibility for) what its data partners do with it.
There are a number of factors that complicate this argument, however. The first is how well-informed the customer really is about how their data is being used. Regulations such as the GDPR (and the upcoming California legislation) require not just that customers technically be “informed” with a giant page of legalese they are asked to click through, but in plain and clear language and with pertinent items separated out for individual consent.
Another issue is the company’s reputation. Even if it is a former business partner that is entirely responsible for a third party data breach, the headlines will give the impression that it is data they are solely responsible for. Questions of trust then arise in the minds of the owners of this data.
Colin Bastable, CEO of security awareness training company Lucy Security, summed up the third party data breach issue as follows:
“Once again, third party risk is shown to be the great cybersecurity risk multiplier. But this case should serve as a wake-up call to every consumer – our data is not our own. Aggregated data is being traded for massive profits, and like mortgages and other debt, it is packaged and sold with no come-back.
“Monster washes its hands of responsibility for your data security the moment it sells it – ‘Customers that purchase access to Monster’s data – candidate résumés and CVs – become the owners of the data and are responsible for maintaining its security,’ the company said.
Why would anyone trust any business with their data when it is being pimped out like this? At least give people a slice of the action when you sell their data. Monster shrugs its sloping shoulders, but this is important data that it has profiteered from. Bad actors can use resume information to phish, to impersonate, to build socially-engineered attacks on past, present and future employers, on colleagues and on the poor saps who trusted Monster. Of course, Monster’s Ts and Cs – terms and conditions – may leave them without liability. Let’s see how the EU treats this.”
This does not mean that companies can (or will) give up on all forms of sale of personal data. But risk can be mitigated with strong cybersecurity screening of partners and strong contracts with clear language about data protection terms and responsibilities in the case of a third party data breach. Vinay Sridhara, CTO of Balbix, also brings up the need for ongoing screening of business partners:
“Organizations must implement security solutions that scan and monitor not just the organization-owned and managed assets, but also all third-party systems to detect vulnerabilities that could be exploited. Proactively identifying and addressing vulnerabilities that would put them at risk before they become entry points for attackers is the only way to stay ahead of breaches and avoid fines from data privacy laws.”
At the moment, Monster.com has the luxury of shrugging off yet another data breach related to them. That could very quickly cease to be an option with regulatory changes that make them solely responsible for notifications to affected parties, perhaps along with a strong dose of consumer backlash.