Monster.com fraud cop speaks

August 24, 2007

monster.JPGOnline recruitment site Monster.com waited five days to tell its 1.3 million customers about a security breach that resulted in the theft of confidential information.

Patrick W. Manzo, vice president of compliance and fraud prevention, told Reuters late on Thursday, the company needed the time to properly assess the scope of the breach and to solve the problem before alarming users. Manzo discusses Monster.com’s security strategy: 

How did they get into your system?
What they do is they have a credential – a legitimate credential that they have pilfered somehow. go into the database and download the resumes.Actually I should clarify.  The data we are talking about here was really directory data: name, address, telephone number, email address. We have examined all the data that was on the server and we have not seen entire resumes.  We have just seen that directory data.
 
Was your security too lax?
There is not going to be any security method that’s bullet proof. The security we had in place was a user name and a password. That is a very common security method and it is used by banks. It is used by most other Internet companies. In this case the security method wasn’t defeated. Nobody cracked the password. Nobody broke through the front gates here. We have a system that’s like a lock with a key and somebody had the key. They got the key from the legitimate customers.  
 
How many credentials did they use? 
We believe it was a very limited number.

Have you begun a rigorous review of your security system. Are you talking steps to beef things up? 
The answer to your question is yes. But that’s not something that’s necessarily new.  It’s something that in light of the current situation we are going to make a top priority. 
 
Have people pulled their resumes from your site?
Jim I don’t think they should be concerned about their resumes. The key fact is to be vigilant and to be on the lookout. …Phishing and these issues are not unique to online recruiting. I’m sure your email box has its fair share of spam and strange messages from banks and these sorts of things . I know mine certainly does. 
 
Yes. but I hope those spammers didn’t get my contact information by breaking into an Internet company like Yahoo or Google and getting data from my accounts with them. 
I understand. People’s concern with privacy is very important and we take that very very seriously.   I think it’s also important to keep in context the type of information we’re talking about here. It’s a name. It’s an address. It’s a telephone number. Most people have that published in the phone book. In addition there is an email address, which i think most people expose to the public when they use it. That’s not to say we don’t take this seriously. We absolutely do. As I’ve said we are committed to having world class security. But it is important to emphasize  that we are not talking about the kind of information that really should cause concerns. We are not talking about social security numbers. We are not talking about credit cards. We are not talking about drivers license numbers.

No comments so far

We welcome comments that advance the story through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can flag it to our editors by using the report abuse links. Views expressed in the comments do not represent those of Reuters. For more information on our comment policy, see http://blogs.reuters.com/fulldisclosure/2010/09/27/toward-a-more-thoughtful-conversation-on-stories/