Monster.Com Breached Again
I have no idea how Monster can continue to stay in business if it doesn’t do anything to protect the integrity and confidentiality of the data its users entrust to them. For the second time in 18 months, Monster has had millions of user accounts, including cleartext usernames and passwords, and email addresses, swiped by hackers. This information is valuable to hackers because they can use it to write phishing emails that appear to originate from Monster.Com and to enlist job seekers in becoming money-laundering mules.
In the latest breach, Monster put a notice here on their website that says:
As is the case with many companies that maintain large databases of information, Monster is the target of illegal attempts to access and extract information from its database. We recently learned our database was illegally accessed and certain contact and account data were taken, including Monster user IDs and passwords, email addresses, names, phone numbers, and some basic demographic data. The information accessed does not include resumes. Monster does not generally collect – and the accessed information does not include – sensitive data such as social security numbers or personal financial data.
Immediately upon learning about this, Monster initiated an investigation and took corrective steps. It is important to know the company continually monitors for any illicit use of information in our database, and so far, we have not detected the misuse of this information.
Now let’s flash back to 2007 and their statement to the press regarding that breach:
Sal Iannuzzi, the company’s chairman and chief executive, said the company was improving its surveillance of how the site is used as well as limiting the way data can be accessed. Iannuzzi declined to provide specific details about how the new security measures will work, saying he didn’t want to make them vulnerable to potential hackers.
It appears to be obvious that whatever improvements were made in Monster’s surveillance and security measures did not work. Data was stolen yet again. And now we are supposed to believe that a company that can’t see hackers on their own network are supposed to somehow watch if that data is being used improperly? Riiiight.
Getting breached a second time, in pretty much the same way as the first, means one of two things:
- They are incompetent at information security.
- They are operating at an acceptable level of risk.
If they are just incompetent, then they should fire the IT staff, starting with the CISO. If they are operating at an acceptable level of risk, then the users have to decide if they want their personal information handed over to criminal gangs. Either way, its no way to run a business.
