The US-based jobs board has suffered its third major security breach in two years.
Monster, the Massachusetts-based jobs board, has suffered its third major data breach in three years, TechCrunch reports.
In this most recent breach, an unsecured web server was targeted by hackers, who retrieved thousands of jobseeker résumés. The server in question had been left unsecured for many years, according to reports.
The leaked files, dating from 2014 to 2017, contain key points of personal data. Information such as address and telephone numbers, as well as email accounts and employment history, were all found within the lost documents.
Security experts warn that this information is regularly used in phishing scams and identity theft. Targeted individuals can find emails and bank accounts compromised by the loss of data.
The hazardous world of online data
In the age of GDPR compliance, security flaws of this nature are treated very seriously by authorities. However, Monster does not appear to be accepting the blame for this particular leak.
Instead, the jobs board has suggested that the data breach occurred within one of their customer organisations. The personal data – while originating from Monster – had already left the company’s system by the time it was lost. Monster issued the following statement:
“Customers that purchase access to Monster’s data — candidate résumés and CVs — become the owners of the data and are responsible for maintaining its security.”
“Because customers are the owners of this data, they are solely responsible for notifications to affected parties in the event of a breach of a customer’s database.”
It raises the question of who is responsible for data breaches. Within the world of recruitment GDPR is a governing force over what we can and cannot do with our data. And, in this specific case, the victims have freely shared their information with a company (Monster) that promises to re-sell that data to potential employers (Monster clients). So it may be acceptable to suggest that it is the client company who is responsible for this data breach.
Why is this?
Because, in this scenario, the Monster customer has adopted the role of “data controller”. They assume full responsibility for data security – as well as the reporting of any breaches. But, if the jobseeker has no direct relationship with this client company, what is their protection?
It is one of the many grey areas of data security which still make the disclosure of personal data online a risky business.
In January of this year, millions of user passwords were leaked online.