The employers' section of the recruitment website has been
broken into by a program which then harvested 1.6 million pieces of
information and stored them somewhere the people behind the hack
could access them, according to security firm Symantec.
Some Monster users have received emails pretending to be from
Monster which encourage them to download software they say is a
recruitment tool. It is in fact malicious software which encrypts
the information on their computers and demands a ransom for it to
be unlocked.
Symantec said that the same hacker group may be behind both sets
of activity. "We have informed Monster.com of the compromised
Recruiter accounts so they can be disabled," said Symantec's
exposure of the problems.
"To protect your identity when using recruitment sites, or at
least limit your exposure to identity theft, you should limit the
contact information you post on these sites, use a separate
disposable email address and never disclose sensitive details such
as your Social Security number, passport or driver’s license
numbers, bank account information, etc to prospective employers
until you have established they are legitimate," said Symantec.
Monster itself recently warned that recruitment websites were
prime targets for identity theft because of the wealth of
biographical and bureaucratic information contained on CVs. It
teamed up with security consultancy Cyveillance to warn site users
that they should be vigilant about giving out their data.
In the UK, the Information Commissioner's Office (ICO) has also
warned that the recruitment industry is a rich target for ID
thieves. It warned that half of recruiters were not registered with
it as data controllers, which they ought to be by law.
The ICO advises in its Employment Practices Data Protection Code
that job applications and the information contained in them should
be sent and stored securely. "Ensure that a secure method of
transmission is used for sending applications online (e.g.
encryption-based software)," says the Code. "Ensure that once
electronic applications are received, they are saved in a directory
or drive which has access limited to those involved in the
recruitment process."
Symantec said that the program which broke into Monster.com did
so by pretending to be an employer. "The Trojan appears to be using
the (probably stolen) credentials of a number of recruiters to
login to the website and perform searches for resumes of candidates
located in certain countries or working in certain fields," said
Symantec in a blog about the vulnerability.
"The personal details of those candidates, such as name,
surname, email address, country, home address, work/mobile/home
phone numbers and resume ID, are then uploaded to a remote server
under the control of the attackers," it said. "This remote server
held over 1.6 million entries with personal information belonging
to several hundred thousands candidates, mainly based in the US,
who had posted their resumes to the Monster.com web site."
A Monster spokesman told the BBC that the incident did not
involve especially personal information. "We are not aware of any
cases of identity theft. In fact, the information that is gathered
from Monster is no different than that displayed in a phone book,"
said Patrick Manzo, vice president of fraud prevention and
compliance at Monster.
Disclaimer: We hope you find OUT-LAW’s content useful. It’s prepared by the lawyers at Pinsent Masons. Please remember, though, that it’s intended as general information only. It’s not legal advice. If that’s what you’re seeking, please
contact us. See also: our
full disclaimer
