WPF Consumer Alert: Monster.com Data Breach
Job seekers who have safety concerns such as law enforcement professionals, victims of domestic violence, and other victims of crimes such as stalking may be especially at risk
Updated: August 30, 2007
UPDATE: Monster.com has announced that its data breach was more widespread than original press reports indicated. Also, the official Federal government job site USAjobs.com has been impacted by the breach.
From Monster.com:
“The Company has determined that this incident is not the first time Monster’s database has been the target of criminal activity. Due to the significant amount of uncertainty in determining which individual job seekers may have been impacted, Monster felt that it was in your best interest to take the precautionary steps of reaching out to you and all Monster job seekers regarding this issue. Monster believes illegally downloaded contact information may be used to lure job seekers into opening a ‘phishing’ email that attempts to acquire financial information or lure job seekers into fraudulent financial transactions. This has been the case in similar attacks on other web sites.” See <http://help.monster.com/besafe/email/> for the full message.
USAJobs.com
The data breach has also affected job seekers using the Federal Government’s official job web site, USAJobs.com, which is outsourced to Monster.com. The U.S. Office of Personnel Management has announced that hackers breached about 146,000 USAJobs.com subscribers. See USAJobs security notice: <http://www.usajobs.gov/SecurityNotice.asp> and the official OPM press release about the breach.
For: August 22, 2007
Note: This consumer alert is based on published news accounts and other secondary sources that appear to be reliable. However, the information available and presented here may not be complete, or completely accurate. We have made a good faith and best effort to ensure accuracy of this information. If you are reading this alert after August 22, 2007, some of the information may be out of date. For updates, we advise monitoring Symantec.com (at Symantec home page, do a keyword search: Monster.com) and Monster.com. Please see the Resources section of this alert for links to articles about the breach and links to the Symantec security analysis of this breach.
Job seekers who have posted resumes at Monster.com may have had their personal information stolen by cyberthieves who broke into Monster.com databases. The breach may have come through recruiters’ accounts that had been compromised by hackers. According to security firms that have analyzed the breach, the personal information of hundreds of thousands of job seekers was compromised by this breach. [1]
Job seekers who have safety concerns, such as law enforcement professionals, victims of domestic violence and other victims of crimes such as stalking, may be especially at risk. These people have an immediate need to know if their personal — and in some cases unpublished — information may be in the hands of criminals. Other job seekers may also be at risk of identity theft and other targeting by the criminals.
The immediate information that was stolen, according to Symantec, was job seekers’ contact information such as home address, phone numbers, email address, and resume IDs. But because the thieves may have had access to resumes through compromised recruiters’ accounts, job seekers should assume for safety purposes until told otherwise that any information a job seeker put on a resume is what the thieves would have been able to see. Typically, this will include a home or mailing address, phone number, cell phone numbers, email, work and education history, among other standard resume items. Some job seekers also put Social Security Numbers on resumes.
The data breach at Monster.com highlights just how valuable resumes are to thieves. Many individuals choose not to have their home address or cell number published in phone books or elsewhere. But job seekers who want to be contacted by valid employers need to give those employers considerable amounts of non-public personal information. Resumes in the hands of thieves can be used like a road map for criminal ventures, including identity theft, phishing and spamming.
If you have posted your resume at Monster.com, here is what you need to know:
Timing:
We have not been able to find from Symantec’s analysis, other news articles, or postings by Monster.com definitive information about the timeline this breach may cover. This is important information that we hope Monster.com releases to the public.
Victims and security breach notification:
The announcements of the Monster.com breach have come through security firms like Symantec and others that have analyzed the breach and found the data stores and captured the data streams. Depending on the state you live in and the state security breach laws there, you may or may not be entitled to notification by Monster.com of this breach. Because the facts are not entirely clear, it is impossible to assess fully any security breach notification obligations.
Regarding notice to victims, we know Symantec has published an analysis of the breach and has notified Monster.com. But we are unsure of the status of any direct notification Monster has made to victims or potential victims. Monster.com has an undated email warning on its security page, but we do not know if this warning refers to this breach or not. No specific discussion of this breach, the timing, the details, or the victims was available on the Monster.com site Security Page as of 3 pm, PDT, August 21, 2007 < http://help.monster.com/besafe/>. From what we have been able to determine from its site and news articles, Monster.com is not currently offering free credit monitoring to victims, a now-traditional best-practice response to a security breach.
Computer security issues
According to the Symantec analysis of the Monster.com data breach [2], there are several aspects to this data breach. Personal information of job seekers appears to have been stolen from Monster.com, and some victims may have received further phishing emails. Some victims who received the phishing emails may also have downloaded a “Monster Job Seeker Tool” toolbar containing a Trojan [3] that sends victims’ information back to the criminals. Those who downloaded the “Monster Job Seeker Tool” may be at especially increased risk.
PC World has provided excellent tips for computer cleanup for those toolbar victims at: <http://blogs.pcworld.com/staffblog/archives/005186.html>. For general tips on cleaning up computer viruses see: <http://www.pcworld.com/article/id,126499-c,techsupport/article.html>.
Other tips for victims of this breach
- If you posted your resume on Monster.com, you need to find out whether it was one of the accounts or profiles that was compromised. Jobseekers should contact Monster.com regarding this issue. <http://my.monster.com/contactus.aspx>.
- You may be entitled to notification of data breach depending on the facts and the state you live in. Your state Attorney’s General web site should have information about your state’s data breach laws. Here’s a link to a recent compilation of state laws: <http://www.consumersunion.org/campaigns/Breach_laws_May05.pdf>.
- Going forward, work to make your job searching efforts as safe as possible. The World Privacy Forum has published detailed job search privacy tips, Job Seekers’ Guide to Resumes: Twelve Resume Posting Truths. Those tips are available here: <https://www.worldprivacyforum.org/2009/02/consumer-tips-job-seekers-guide-to-resumes/>. See also the next heading in this alert for brief tips.
- The Federal Trade Commission has excellent resources on what to do when your information may have been compromised: < http://www.ftc.gov/bcp/edu/microsites/idtheft/consumers/compromised.html>.
General job search safety and privacy tips in brief
- When you use job sites, limit the contact information you give to the site, even if that information is on your resume. Use a disposable email address, use a P.O. Box or a PBX address, and consider shortening your name to first initial plus last name.
- If you have safety concerns or work in a profession where you must limit exposure of your personal information, you may want to take an additional step and use either a shelter address/phone number, or another safe address that does not tie back to your residence whatsoever.
- For disposable, customizable email addresses, we like www.nyms.net, a $20 a year service available through Anonymizer.com. (The World Privacy Forum has no financial arrangement or business ties with Anonymizer, however, we are paying customers of the Nyms service.)
- For more tips, see <https://www.worldprivacyforum.org/2009/02/consumer-tips-job-seekers-guide-to-resumes/>.
Resources
Here are links to some additional resources to learn more about this breach and to find other information.
Security analysis of Monster.com breach:
- Symantec has an excellent analysis of this breach posted here:
<http://www.symantec.com/enterprise/security_response/weblog/2007/08/a_monster_trojan.html
>. Symantec also has a detailed page on two of the Trojans they found associated with the breach, the Trojan Infostealer.Monstres < http://www.symantec.com/security_response/writeup.jsp?docid=2007-081617-4608-99&tabid=1 > and Trojan.Gpcoder.E < http://www.symantec.com/security_response/writeup.jsp?docid=2007-071711-3132-99&tabid=3 >.
- SecureWorks also has an analysis of the Monster.com breach:
<http://www.secureworks.com/research/blog/index.php/2007/8/17/prg-trojan-injected-ads-on-job-sites-46000-victims-infected-thus-far >.
Other articles about this breach:
- Forbes.com <http://www.forbes.com/technology/2007/08/20/symantec-monster-research-tech-cx_0820darkreading.html>.
- CIO.com <http://www.cio.com/article/131950/ID_Attack_Widens_With_._M_Records_Stolen_from_Monster.com>.
- Boston Globe: <http://www.boston.com/business/technology/articles/2007/08/22/data_thieves_hit_monstercom_site/>.
Resources from the FTC:
- Information on how to file an FTC Complaint: <http://www.ftc.gov/bcp/edu/microsites/idtheft/consumers/filing-a-report.html>.
- FTC Consumer Alert on what to do when your personal information is compromised: <http://www.ftc.gov/bcp/conline/pubs/alerts/infocompalrt.shtm>.
- FTC Consumer Alert on how not to get hooked on a phishing scam: <http://www.ftc.gov/bcp/edu/pubs/consumer/alerts/alt127.pdf>.
Other resources on Phishing:
- Onguard Online This is a joint government agency and industry site on how to avoid phishing scams: <http://onguardonline.gov/phishing.html>.
____________________________________
Endnotes:
[1] Amado Hidalgo, Symantec, A Monster Trojan, August 17, 2007: <http://www.symantec.com/enterprise/security_response/weblog/2007/08/a_monster_trojan.html>.
[2] Amado Hidalgo, Symantec, A Monster Trojan, August 17, 2007: <http://www.symantec.com/enterprise/security_response/weblog/2007/08/a_monster_trojan.html>. Another analysis was written by Don Jackson, SecureWorks, Prg Trojan Injected Ads on Job Sites – 46,000 Victims Infected Thus Far, August 17, 2007: <http://www.secureworks.com/research/blog/index.php/2007/8/17/prg-trojan-injected-ads-on-job-sites-46000-victims-infected-thus-far>.
[3] A Trojan, short for Trojan Horse, is a malicious computer program that once placed on a computer, is usually difficult to detect. Trojans can accomplish much mischief while running in the background. The particular type of mischief will vary depending on their purpose, for example, some Trojans are coded to download spyware such as keylogging programs. For a definition of Trojans, see Symantec, Crimeware: Trojans and Spyware, <http://www.symantec.com/avcenter/cybercrime/trojans_spyware.html?src=symsug_us>. For excellent articles about Trojans, see also Bruce Schneier’s web site, keyword search for Trojan: <http://www.schneier.com/cgi-bin/search/search.pl?Realm=whole+site&Terms=trojan>.