WPF Consumer Alert: Another Monster.com Data Breach
Job seekers who have safety concerns such as law enforcement professionals, victims of domestic violence, and other victims of crimes such as stalking may be especially at risk
January 27, 2009
Monster.com has announced a data breach on its web site. According to the job site, Monster.com user IDs and passwords, email addresses, names, phone numbers, and some “basic demographic data” were compromised. Monster notified victims of the breach through its web site on Friday, January 23, 2009. It is unclear how many millions of people this notice impacts, as Monster.com did not give an estimate. In press reports, however, Monster has admitted that the breach is global, with Asia Pacific and Eastern Europe being spared.
Job seekers who have safety concerns, such as law enforcement professionals, victims of domestic violence and other victims of crimes such as stalking, may be especially at risk. These people have an immediate need to know if their personal — and in some cases previously unpublished — information may be in the hands of criminals. Other job seekers may also be at risk of identity theft and other targeting by the criminals. For example, job seekers may receive highly targeted and convincing phishing emails which can lead to further mischief.
The data breach at Monster.com highlights just how valuable job seekers’ demographic and contact information is to thieves. This is because job seekers’ information in the hands of thieves can be used like a road map for criminal ventures, including identity theft, phishing and spamming. User passwords, which Monster.com says were compromised in this breach, are especially valuable as they can potentially be used to access other sites or email accounts, especially if a person regularly uses the same passwords.
Current Breach notice from Monster.com:
January 23, 2009
As is the case with many companies that maintain large databases of information, Monster is the target of illegal attempts to access and extract information from its database. We recently learned our database was illegally accessed and certain contact and account data were taken, including Monster user IDs and passwords, email addresses, names, phone numbers, and some basic demographic data. The information accessed does not include resumes. Monster does not generally collect – and the accessed information does not include – sensitive data such as social security numbers or personal financial data.
Immediately upon learning about this, Monster initiated an investigation and took corrective steps. It is important to know the company continually monitors for any illicit use of information in our database, and so far, we have not detected the misuse of this information.
In order to help assure the security of your information, you may soon be required to change your password upon logging onto the site. Please follow the instructions on the site. We would also recommend you proactively change your password yourself as an added precaution. We regret any inconvenience this may cause you, but feel it is important that you take these preventative measures.
As a further precaution, we want to remind you that an email address could be used to target “phishing” emails. Monster will never send an unsolicited email asking you to confirm your username and password, nor will Monster ask you to download any software, “tool” or “access agreement” in order to use your Monster account. Monster’s security page, http://my.monster.com/securitycenter, provides users with a substantial amount of information about different types of Internet fraud. We encourage you to review the information to learn more about what you can do to protect yourself on the Internet.
The protection of your data is a high priority for Monster. Our newly redesigned Web site has, and will continue to add, safety and security features to protect your information and we want you to feel confident using it.
We continue to devote significant resources to ensure Monster has appropriate security controls in place to protect our infrastructure, and while no company can completely prevent unauthorized access to data, Monster believes that by reaching out to job seekers, the company can help users better defend themselves against similar attacks.
We truly value the trust you place in Monster and appreciate the opportunity to continue to serve as your online career resource.
Senior Vice President, Global Chief Privacy Officer
(For the complete notice, please see <http://help.monster.com/besafe/jobseeker/index.asp>.)
USAJobs.com has a current security notice posted (current as of January 27, 2009). Monster.com did not discuss whether or not the data breach affected job seekers using the Federal Government’s official job web site, USAJobs.com, which is outsourced to Monster.com. However, the security notice makes it appear that this is likely the case. <http://www.usajobs.gov/SecurityNotice.asp> .
Tips for Monster.com Breach Victims
If you have created a profile at Monster.com with a password, here is what you need to know:
- If you posted your resume on Monster.com, or even just created an account on Monster.com, you need to find out whether it was one of the accounts or profiles that was compromised. Jobseekers should contact Monster.com directly regarding this issue. <http://my.monster.com/contactus.aspx>.
- Going forward, work to make your job searching efforts as safe as possible. The World Privacy Forum has published detailed job search privacy tips, Job Seekers’ Guide to Resumes: Twelve Resume Posting Truths. Those tips are available here: <http://www.worldprivacyforum.org/2009/02/consumer-tips-job-seekers-guide-to-resumes/>. See also the next heading in this alert for brief tips.
- The Federal Trade Commission has excellent resources on what to do when your information may have been compromised: < http://www.ftc.gov/bcp/edu/microsites/idtheft/consumers/compromised.html>.
General job search safety and privacy tips in brief
- When you use job sites, limit the contact information you give to the site, even if that information is already on your resume. When you create a user profile, consider using a disposable email address, use a P.O. Box or a PBX address, and consider shortening your name to first initial plus last name. It is particularly important to use a one-time only password at any job site. Do not re-use passwords!
- If you have safety concerns or work in a profession where you must limit exposure of your personal information, you may want to take an additional step and use either a shelter address/phone number, or another safe address that does not tie back to your residence whatsoever.
- For disposable, customizable email addresses, we like www.nyms.net, a pay service available through Anonymizer.com. (The World Privacy Forum has no financial arrangement or business ties with Anonymizer, however, we are paying customers of the Nyms service.)
- For more tips, see <http://www.worldprivacyforum.org/2009/02/consumer-tips-job-seekers-guide-to-resumes/>.
Other articles about this breach:
- AFP <http://tech.yahoo.com/news/afp/20090127/tc_afp/britaincomputercrime>
- Washington Post <http://voices.washingtonpost.com/securityfix/2009/01/monstercom_breach_may_bring_mo.html?wprss=securityfix>
- Bloomberg <http://www.bloomberg.com/apps/news?pid=20601102&sid=aVlh9owPEiAM&refer=uk>
Resources from the FTC:
- Information on how to file an FTC Complaint: <http://www.ftc.gov/bcp/edu/microsites/idtheft/consumers/filing-a-report.html>.
- FTC Consumer Alert on what to do when your personal information is compromised: <http://www.ftc.gov/bcp/conline/pubs/alerts/infocompalrt.shtm>.
- FTC Consumer Alert on how not to get hooked on a phishing scam: <http://www.ftc.gov/bcp/edu/pubs/consumer/alerts/alt127.pdf>.
Other resources on Phishing:
- Onguard Online This is a joint government agency and industry site on how to avoid phishing scams: <http://onguardonline.gov/phishing.html>.