Monster.Com Copes With Recovery

Monster has hired some security experts to help shore up their horrible network security to try to prevent another breach like the most recent debacle-  the loss of 1.6 Million user resume files which included the names, addresses and phone numbers of job seekers.

 

From the AP here:

Monster Worldwide Inc., a major online job-search site, said Wednesday it was beefing up its security measures following a significant data breach this month.
 
Sal Iannuzzi, the company’s chairman and chief executive, said the company was improving its surveillance of how the site is used as well as limiting the way data can be accessed.

Earlier this month data security company Symantec Corp. uncovered a scheme where con artists obtained user names and passwords of legitimate recruiters who use Monster to search for job candidates, and then gleaned personal information from job seekers that they then used to craft personalized “phishing” e-mails.

Monster said it believes the fake e-mails were sent to Monster users to lure them into divulging financial information.  Monster said it recently became aware of illegal downloads of personal information from 1.3 million job seekers with resumes posted on Monster.com, including their names, addresses and phone numbers.

Don’t you have to have some sort of “surveillance” in place in order to improve it?  And if they already had it in place, how piss-poor was it to miss 1.6 million records being spirited away by a few individual accounts?  Shouldn’t that set off a few alarms?  Or does Monster have tiered accounts-  bronze, silver, gold and OMFG-TAKEeverything?

I recently encountered a person by the name of Dan on another blog, talking about his views on the Monster.com databreach.  He is a Monster.com employee, leading their content group, with 8 years under his belt at the company.  This makes him a grizzled veteran.  And someone who survived the recent layoffs in which over 800 employees were axed.  And he most likely got all of those emails that employees get during security breaches that state “don’t talk to the public about this incident.  Refer them to the PR department.”  Yet he went on a blog and wrote the following:

He said:
“While there was nothing stolen that you couldn’t find in the phone book, it’s still an issue for job seekers when they start receiving unwanted emails.”

The phone book?  The phone book is a paper product and cannot be digitally downloaded to have 1.6 million names of people that need jobs.  And even the online versions such as Bigbook.com only allows you to get a few names at a time. 

And I don’t think Dan gets the scope of the breach and what Monster gives criminals by their dismal lack of security. 

Its not the first time a breach like this has happened.  Monster’s resume base has been pharmed for years by criminals.  These criminals need to contact the unemployed and the desperate to get them to serve as mules to launder money from identity theft rings, drug money and yes, even terrorist financing.

Maybe this new security team can show Monster how to monitor their database using technology developed nine years ago.  Its called statistical anomaly detection.  Account metering.  Email alerts.  They should check into it.  All of their competitors do it.