Monster.com Attacked, User Data Stolen 196
Placid writes "The BBC has an article detailing a successful attack on the US recruitment site, Monster.com. According to the article, 'A computer program was used to access the employers' section of the website using stolen log-in credentials' and that the stolen details were 'uploaded to a remote web server'. Apparently, this remote server 'held over 1.6 million entries with personal information belonging to several hundred thousands of candidates, mainly based in the US, who had posted their resumes to the Monster.com website'. The article also links the break-in to a phishing e-mail sent out recently where personal details were used to entice users to download a 'Monster Job Seeker Tool.'"
Monster attack steals user data (Score:5, Insightful)
hmmm (Score:4, Insightful)
Re:The real question is (Score:3, Insightful)
Re:Monster doesn't help anyway--why use it? (Score:3, Insightful)
Re:Phishing Attack (Score:5, Insightful)
remember, these are the type of people who were putting "5 years experience required in windows 2003 admin" in 2005.
Re:Phishing Attack (Score:5, Insightful)
Monster.com was broken in for spearphishing, not for sending bulk emails regarding "Bank of America". Spearphishing as a term is used to describe a phishing set up which is designed to hit a victim specifically by using a victim specific ruse based on knowledge of personal data.
Recruitment agencies are actually a prime target for such attacks:
1. Nearly all of them (even the specialised unix oriented ones) require all CVs in Microshit Word so pushing a custom Trojan is trivial.
2. Nearly all of them systematically violate the Data Protection act and other similar statutes which require them to remove customer data from their databases when no longer needed. So far in the UK only 3% of the ones I have asked to remove my details have complied with the request. Amidst the most vile violators are the two biggest MOD oriented agencies and more than 50% of the top 20 (by job posting numbers).
3. In addition to that apparently at least one UK (and international) jobboard also does not remove customer data even if you delete your accounts from there. As a result the agencies are re-fed your details on a regular basis.
4. The agencies possess enough data for a perfect spearphish: date of birth, nationality, postal address, occupation, prior job history, current and past salaries as well as further background. In some cases where they have been subcontracted to do HR they possess even more data like NSNs/SSNs, credit ratings and the like.
Frankly this is an industry that is in desperate need to be smacked with some vile regulation compared to which SOX and the recent health IT regs in the US are a child's play. They need to be straightened out and made to follow the laws of the land with regard to customer privacy. At the moment they are systematically ignoring them and in many cases they possess more of your personal information than your bank.
So let's hope that the Monster case will cause some moves towards that.
Re:Blame the data security officers & project (Score:3, Insightful)
Re:Phishing Attack (Score:2, Insightful)
Re:"US recruitment site"?? (Score:1, Insightful)
Beside the articles is written from the POV of the British reader, being as it's on a British news site and it was necessary to distinguish it from the UK portal.
Not everyone lives in the US you know...
Re:Monster attack steals user data (Score:5, Insightful)
Re:Monster doesn't help anyway--why use it? (Score:3, Insightful)
The majority of items in my apt were purchased off of craigslist. Not to mention my car, my current job and the apt iteself.