According to a report, a web server has been found that was storing résumés of job seekers including from the employment site such as Monster.
This server included CVs and résumés for job applicants that contain private information such as phone numbers, email addresses, users’ prior work experience and home addresses spanning 2014 and 2017 and most users were located in the United States.
It is still unclear how many documents were exposed, but thousands of résumés were found in a single folder dated May 2017. Other exposed document that has found on the server include immigration documentation for work which Monster does not collect.
Michael Jones, the Monster’s chief privacy officer mentioned in a statement that an unknown recruitment customer owned the server and this server is no longer works. This company didn’t mention the recruitment customer name.
This company mentioned that “The Monster Security Team was made aware of possible exposure and notified the recruitment company of the issue. The exposed server was secured shortly after it was reported in August”.
These data from the exposed web server are no longer available and accessible to users but hundreds of résumés and other documents can be found in results cached by search engines.
The Monster website didn’t inform users about the exposure and only accepted that user data was exposed after the security researcher alerted TechCrunch about this issue.
This company also mentioned that “Customers that purchase access to Monster’s data — candidate résumés and CVs — become the owners of the data and are responsible for maintaining its security. Because customers are the owners of this data, they are solely responsible for notifications to affected parties in the event of a breach of a customer’s database.”
According to the local data breach notification laws, all companies are forced to inform state attorneys general where large numbers of users in their states are affected. Although Monster is not obliged to reveal the exposure to regulators, some companies proactively warn their users evenwhen third parties are involved. Warning users about the third-party breach is not uncommon for companies.
At the beginning of this year after hackers stole millions of credit cards from third-party payments processor American Medical Collection Agency, its customers — LabCorp and Quest Diagnostics — admitted to the security lapse.
Monster also mentioned that due to exposure of this data, this company is “not in a position” to identify or confirm affected users.