Monster.com discloses database breach

By Marcia Savage, Features Editor, Information Security magazine 26 Jan 2009 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Monster Worldwide Inc. said Friday that criminals broke into its database and stole Monster.com user IDs and passwords, email addresses, names and phone numbers.

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

Resumes were not among the information stolen, Patrick Manzo, senior vice president and global chief privacy officer at the New York-based company, wrote in a notice posted on the Monster website. Sensitive data such as Social Security numbers, which the company doesn't generally collect, also were not accessed, he wrote. Some demographic data, however, was taken. The company didn't specify how many records were stolen.

"Immediately upon learning about this, Monster initiated an investigation and took corrective steps," Manzo wrote. "It is important to know the company continually monitors for any illicit use of information in our database, and so far, we have not detected the misuse of this information."

Data breaches: Data breach study ties fraud losses to Hannaford, TJX breaches: Experts say breach costs are far reaching and could lead banks and merchants to find alternative payment methods. Security Wire Weekly: Heartland data security breach: In this podcast, Gartner Analayst Avivah Litan talks about the Heartland data breach. Also, a discussion with Ernst & Young's Sagi Leizerov on data privacy in the retail industry.

In the wake of the breach, the company advised users of its job site to change their passwords, and warned that email addresses could be used in phishing scams.

The U.S. federal government's website, USAJOB, which is hosted by Monster, was also affected by the theft and warned its users in a USAJOB security notice.

Randall Gamby, an independent information security analyst based in New York, said the data stolen in the Monster breach can be used by cybercriminals to uncover other personal details and to create targeted phishing attacks.

"Criminals are looking for information that makes people comfortable opening an unsolicited email," he said. "Personally identifiable information isn't just credit cards and financial data … I foresee a point in time where any information that's unique to an individual will have to be protected, just like Social Security numbers."

And while Monster noted that it hasn't found any evidence that the data has been misused, "the reality is that most criminals sit on the information until everything has cooled down," Gamby said.

SearchSecurity radio:

The breach comes less than two years after Monster warned users that intruders broke into Monster's database and stole information.

Randy Abrams, director of technical education at ESET LLC, a security software supplier with U.S. headquarters in San Diego, Calif., said Monster needs to improve its security but added that it probably is attacked more than other companies.

Monster.com is a "fat, juicy target" for cybercriminals because it combines fairly valuable personal information with a user base that's desperate for employment, he said. "You have some great victims for the taking," he said.

To address what's been a repeated problem, the company needs to consider additional security layers such as multifactor authentication for employee database access, Abrams said. Users also can help protect themselves by following security practices such as changing passwords frequently and not using the same passwords for email accounts as they do for websites such as Monster, he added.

Tags: Identity Theft and Data Security Breaches,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Identity Theft and Data Security Breaches MA 201 CMR 17 enforcement less likely with prompt reporting, cooperation No major PCI DSS revision expected in 2010 Data breach costs continue to rise in 2009, Ponemon study finds Chinese hacker attacks target Google Gmail accounts, top tech firms Facebook, McAfee partner to fix social network security issues Hacker pleads guilty to orchestrating Heartland credit card heist MasterCard reverses PCI compliance requirement Verizon report goes deep inside data breach investigations Health Net healthcare data breach affects1.5 million Massive T-Mobile UK security breach involves insiders

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bot worm  (SearchSecurity.com) CISP-PCI  (SearchFinancialSecurity.com) cookie poisoning  (SearchSecurity.com) drive-by pharming  (SearchSecurity.com) extrusion prevention  (SearchSecurity.com) identity theft  (SearchSecurity.com) parameter tampering  (SearchSecurity.com) pretexting  (SearchCIO.com) Rock Phish  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary