We told our readers about the theft of 1.6 million records from Monster.com two days before they saw fit to notify their own users. Even then, affected users have not yet gotten an email, they are just greeted with a “Security Notice” on Monster.com’s homepage…if they happen to visit it.

Symantec notified Monster.com on August 17th, that their server had been hacked. Overnight on the 20th, they finally shut down the cracked server. A few days later, on the 23rd is when the Security Notice was finally published.

Monster.com is trying to act the wide-eyed child and say they are blameless, and hackers are just persistent. Conversely, industry specialists see a problem with Monster.com’s security. They protected the servers, but did not encrypt their databases. Calum Macleod, European director for Cyber-Ark, is quoted in a Manufacturing Computer Solutions article explaining why encrypting databases is so important:

“Using this [encryption] approach means that the data can be held securely on the web server and, even if hackers succeeded in downloading the files, the fact that they were encrypted would render the data unreadable.”

Its disappointing to see a company not let users know when their data has been compromised. If anything this lack of response will hurt Monster.com more than if they would have been upfront with their users about it. The data stolen was not bank account numbers, but it was enough information to build a very successful phishing scam. Users who had data stolen most likely received a targeted phishing email even before Monster.com notified them to be on the lookout.

Related:

Entry was posted on Wednesday, August 29th, 2007 at 9:19 am under Malware, Scams.  Print This Post

Read more entries by Ema Kwiatkowski.
Stumble It!