Sensitive personal data uploaded to a popular recruitment site has been found exposed on an unsecured web server after a third-party client failed to keep it secure.
Reports emerged late last week that résumés and other documents belonging to an undisclosed number of job-seekers were found unprotected on the internet by a security researcher: the latest in a long line of privacy snafus.
However, although some were identified as having been posted to Monster, the jobs site clarified that the issue was actually the fault of one of its customers.
“We alerted the customer and the customer immediately resolved the issue,” said the firm’s chief privacy officer, Michael Jones, in a statement sent to Infosecurity. “As a result of this incident, we have terminated the customer’s contract.”
He went on to explain why Monster should not be held responsible for the incident.
“We understand that people are concerned about data breaches and the discomfort they bring. For that reason, breach notifications require identifying the individuals and data that were affected, identifying the cause of the breach, and describing actions taken to prevent future breaches,” the statement continued.
“As the exposure occurred on a customer system, and involved customer data obtained from multiple sources, we were not able to identify affected individuals or affected information.”
The GDPR was designed in part to create more clarity on such issues of accountability and transparency, although it’s not clear whether any of those individuals affected were EU citizens.
“This is a lesson in how data can spread without people being aware of it. In this case, when we put our job history and résumés/CVs on these types of sites, we should assume that organizations are going to collect them as they review and use them for job considerations,” argued Erich Kron, security awareness advocate for KnowBe4.
“Where things get murky is what happens with the information after it is used, and ensuring it was used in a proper manner in the first place. Currently, in the US, people are often completely unaware when data is processed by a third party. This is something that GDPR is designed to address.”
Monster’s Jones claimed user privacy is one of the firm’s top priorities.
“To that end, Monster actively discourages candidates and job seekers from sharing information they consider sensitive,” he concluded.
It could be argued that even innocuous-seeming information on a CV or résumé could be used by crafty hackers to phish candidates for more info.
Want to learn more about all things information security? Register for the upcoming Infosecurity Magazine Online Summit here!