Search This Blog

Monday, August 27, 2007


It started out on Aug. 21, when Matt Chapman at announced that hundreds of thousands of recruitment hopefuls on had had their personal details stolen. Symantec discovered the website had been attacked, and advised Monster on Aug. 17. Customers weren’t notified until Aug. 22, one day after Chapman broke the story, according to an article in However, Monster then upped the ante to 1.3 million job seeker records lifted. The information stolen included name, home and work address, e-mail address, mobile and home phone numbers. Now why would the crooks be interested in this private information that doesn’t include at least one of the two main ingredients for ID theft: Social Security number, or date of birth? Because it is probably just as lucrative, and easy, to use the e-mail addresses for phishing scams to prey on unwary job candidates, particularly in the name of And with the sensitive data that was stolen, it is very easy to get your SS# and DOB on the Internet anyway. MSNBC even reported that some Monster users had already received spam asking for financial information. In an Associated Press piece on USA Today, the word is the bad guys hustled passwords from recruiters to do their dirty work. They took resumes and “used information on those documents to craft personalized "phishing" e-mails to job seekers.” This event once again emphasizes why it is so necessary to protect all of your private information, especially now when the phishers have become ultra sophisticated in designing their sites to look identical to the original. However, even in these phishing schemes—as well as several other types—your sensitive data would be safe if you were in control.


William Morriss said...

An interesting point about thefts of this type is that they may be outside the scope of currently existing data breach notification laws, which usually require something more than names and emails to be stolen before going into effect (something I wrote about here). Thus, breaches of the type which took place at might be more dangerous than those which obtain additional information, because consumers might not be informed and given the opportunity to take precautionary measures.

William Morriss said...

As a note, I'm curious about your suggestion of placing sensitive data in the control of individuals. Could you please provide more information on how that concept would operate?