[Reuters] Monster.com took 5 days to disclose data theft

Posted by: UGN Security

[Reuters] Monster.com took 5 days to disclose data theft - 08/24/07 02:35 PM

BOSTON (Reuters) - Monster.com waited five days to tell its users about a security breach that resulted in the theft of confidential information from some 1.3 million job seekers, a company executive told Reuters on Thursday.



Source
Posted by: IceMyst

Re: [Reuters] Monster.com took 5 days to disclose data theft - 08/31/07 03:46 PM

I just now got an email from Monster about their data theft (almost 2 weeks later!). This is what they told me (the words bite me ran thru my mind as i read it):

 Quote:
Monster
Dear Valued Monster Customer,

Protecting the job seekers who use our website is a top priority, and we value the trust you place in Monster. Regrettably, opportunistic criminals are increasingly using the Internet for illegitimate purposes. As is the case with many companies that maintain large databases of information, Monster is from time to time subject to attempts to illegally extract information from its database.

As you may be aware, the Monster resume database was recently the target of malicious activity that involved the illegal downloading of information such as names, addresses, phone numbers, and email addresses for some of our job seekers with resumes posted on Monster sites. Monster responded to this specific incident by conducting a comprehensive review of internal processes and procedures, notified those job seekers that their contact records had been downloaded illegally, and shut down a rogue server that was hosting these records.

The Company has determined that this incident is not the first time Monster's database has been the target of criminal activity. Due to the significant amount of uncertainty in determining which individual job seekers may have been impacted, Monster felt that it was in your best interest to take the precautionary steps of reaching out to you and all Monster job seekers regarding this issue. Monster believes illegally downloaded contact information may be used to lure job seekers into opening a "phishing" email that attempts to acquire financial information or lure job seekers into fraudulent financial transactions. This has been the case in similar attacks on other websites.

We want to inform you about preventive measures you can take to protect yourself from online fraud. While no company can completely prevent unauthorized access to data, we believe that by reaching out to job seekers like you, the Company can help users better defend themselves against those who have attacked Monster as well as other databases.

We are committed to maintaining an ongoing dialogue with all of our job seekers about Internet security and the steps Monster is taking to protect its job seekers. The Company has placed a security alert on Monster sites offering information to educate you about online fraud. This information can be found at http://help.monster.com/besafe/. We have also included information on Internet safety and examples of fraudulent "phishing" emails at the bottom of this letter.

Monster has launched a series of initiatives to enhance and to protect the information you have entrusted to us. Some of these steps are being immediately implemented, while others will be put into place as appropriate.

We believe these actions are the responsible steps to protect the trust you place in Monster. We are also working with Monster's hundreds of thousands of employer customers to ensure a safe and effective online job search. We will continue to share information with you about the enhancements we are making as we serve as your online career resource partner. We invite you to keep reading to learn more about how to use the Internet safely.

Sincerely,

Signature
Sal Iannuzzi

Chairman and CEO

Monster Worldwide

HOW TO BE A SAFE INTERNET USER

Every Internet site in the world is facing the growing issue of fraudulent usage of information, and we want to work with users around the world to stop this practice - please keep reading to learn more about the warning signs and what you can do.

Spam email is such a common occurrence today; you may think you know what to look for. But there are two types of email scams - what's known as "phishing" and "spoofing" - that can be more difficult to identify. Both practices concern fraudulent email where the 'from address' has been forged to make it appear as if it came from somewhere, or someone, other than the actual source. Below are the warning signs to look for:

What's "phishing" all about – and how do I spot it?

Phishing emails are used to fraudulently obtain personal identification and account information. They can also be used to lure the recipient into downloading malicious software. The message will often suggest there are issues with the recipient's account that requires immediate attention. A link will also be provided to a spoof website where the recipient will be asked to provide personal/account information or download malicious software. Monster will never ask you to download software in order to access your account or use our services.

How is it different than "spoofing"?

Spoof emails often include a fraudulent offer of employment and/or the invitation to serve as a go-between for payment processing or money transfers. This scam is primarily directed at a general audience, but it can also reach Monster members who have included contact information on their resumes. Like with phishing emails, the sender's address is often disguised.

Examples of fraudulent email:

These examples of fraudulent email show you what to watch out for (click to see details):

Example 1 Example 2 Example 3 Example 4 Example 5

Consumer Advice: How to Avoid Phishing Scams

The number and sophistication of phishing scams sent out to consumers is continuing to increase dramatically. While online banking and e-commerce is very safe, as a general rule you should be careful about giving out your personal financial information over the Internet. The Anti-Phishing Working Group has compiled a list of recommendations that you can use to avoid becoming a victim of these scams.


Be suspicious of any email with requests for personal financial information.

Phishers typically include upsetting or exciting (but false) statements in their emails to get people to react immediately.

They typically ask for information such as usernames, passwords, credit card numbers, social security numbers, date of birth, etc.

Don't use the links in an email, instant message, or chat to get to any web page if you suspect the message might not be authentic.

Instead, call the company on the telephone, or log onto the website directly by typing in the Web address in your browser.

You should only communicate information such as credit card numbers or account information via a secure website or the telephone.

Always ensure that you're using a secure website when submitting credit card or other sensitive information via your Web browser.

Additional consumer advice is available at http://www.antiphishing.org/consumer_recs.html.

If you have more questions, please visit http://help.monster.com/besafe.

Contact us at http://www.monster.com/contact.
Posted by: Gremelin

Re: [Reuters] Monster.com took 5 days to disclose data theft - 08/31/07 09:54 PM

How odd, I got mine like Aug 25th; but the weird part is, I haven't visited monster in years lol...