Published on September 9th, 2019 📆 | 8347 Views ⚑
0Monster Never Told Users About Data Breach
The server held the resumes of job applicants spanning 2014 and 2017, and included private information such as phone numbers, home addresses, email addresses and prior work experience. TechCrunch reviewed many of the documents and reported that most of those impacted were located in the United States.
While thereâs no set number on how many users were affected, one folder from May 2017 contained thousands of resumes.
A statement by Monsterâs chief privacy officer, Michael Jones, said the server was owned by an unnamed recruitment customer that Monster no longer works with. Even after multiple requests, Monster declined to name the customer.
âThe Monster Security Team was made aware of a possible exposure and notified the recruitment company of the issue,â the company said.
Although Monster said it secured the exposed server soon after it was discovered in August, it never notified users of the breach. In fact, it didnât admit to the incident until a security researcher alerted TechCrunch of it.
âCustomers that purchase access to Monsterâs data â candidate resumes and CVs â become the owners of the data and are responsible for maintaining its security,â the company said. âBecause customers are the owners of this data, they are solely responsible for notifications to affected parties in the event of a breach of a customerâs database.â
Local data breach notification laws state that companies need to notify state attorneys general when large numbers of users are affected. While Monster technically does not have to disclose anything to regulators, some companies will still warn their users of an exposure.
However, Monster said because the exposure took place on a customer system, the company is ânot in a positionâ to identify or confirm affected users.
Gloss