Tuesday, September 04, 2007

And Lo, They Did Hack At The Monster

As you might have heard, the online jobsearch site Monster has been hacked into, and around a million jobseekers' personal details were obtained by the people responsible. Tut. And double Tut to Monster for not noticing, and it falling to Symantec to point it out to them.

I put my CV on Monster a very long time ago - back when the internet was still powered by coal, I think - and as I'm still on their mailing list I've received an e-mail from Monster; presumably it's part of their PR damage limitation work in relation to this incident, but I have to say it does little to reassure me... the following are genuine quotes, slightly edited but in the correct chronological order, cut-n-pasted from the e-mail:

MONSTER SAY:
"As you may be aware, the Monster CV database was recently the target of malicious activity that involved the illegal downloading of information such as names, addresses, phone numbers, and email addresses for some of our job seekers with CVs posted on Monster sites. Monster responded to this specific incident by conducting a comprehensive review of internal processes and procedures, notified those job seekers that their contact records had been downloaded illegally, and shut down a rogue server that was hosting these records."

I SAY:
Er, not in that order, I hope? You switched off the problem server first, then told people what had happened, and then started to look into it with an eye to prevention of further occurrences, yes? Come on, reassure me here...

MONSTER SAY:
"The Company has determined that this incident is not the first time Monster's database has been the target of criminal activity."

I SAY:
No, no, no! You're meant to be putting my mind at rest here, not making me think that your service is like a warehouse with a nightwatchman with a dodgy leg! I want to know how safe and resilient your security measures are, not how often people target you! Still, I'm sure your PR people will have swung into action, e-mailing those whose data's been nicked, right?

MONSTER SAY:
"Due to the significant amount of uncertainty in determining which individual job seekers may have been impacted, Monster felt that it was in your best interest to take the precautionary steps of reaching out to you and all Monster job seekers regarding this issue."

I SAY:
Well, that's not very good, is it? Despite the fact you've got lots of personal details of the punters on record, you decided not to go the personal route, but to do an 'en masse' mailing? Hmph, makes me glad I'm not on your Christmas Card list, it'd probably contain one of those unseemly 'this year Monsterette has passed her GCSEs' letters. Still, you're probably about to tell me about the steps you've taken to beef up your processes, right?

MONSTER SAY:
"We want to inform you about preventive measures you can take to protect yourself from online fraud. While no company can completely prevent unauthorised access to data, we believe that by reaching out to job seekers like you, the Company can help users better defend themselves against those who have attacked Monster as well as other databases."

I SAY:
Hey, hang on a mo, isn't this the wrong way round? why are you telling me how to avoid my information falling into the wrong hands? Pot calling Kettle and all that here, I think. I'm reminded of the observation the comedian Rob (later Robert) Newman made about the Freddie Mercury Tribute Concert taking place to alert us all to the dangers of HIV/AIDS: "Us. Not Freddie. Us." And this e-mail feels the same way, really. Surely the responsibility lies with Monster?

Whilst I appreciate it's a huge kick in the PR groin for Monster, I think that they could have been a lot more specific about what they'll be doing to protect data in future. I mean, I'm not a techie, but ... well, not having servers in the Ukraine might be a step, and indeed relying on third parties to notice that you've been breached seems less than impressive.

Oh, and just in case you're worrying that I might ruin a good working relationship with Monster with this post, I think I'm pretty safe; I don't think I've ever actually got a job as a result of applying via Monster. So it doesn't feel like much of a bridge to burn.

Besides, the bridge has probably already been nicked while they were looking the other way.

1 comment:

Unknown said...

Some alleged job sites seem to exist only to collect your contact information (e-mail address, home address, phone number, etc.. You provide a lot of very personal information to job sites, and you need to know how it will be used.

Education jobs