Monster.com admits they’ve been targeted by phishing scam operators before, and they don’t believe they can keep it from happening again.

In contrast to the 1.6 million compromised records we were initially told, “It could easily be in the millions,” Sal Iannuzzi, the chairman and CEO of Monster Worldwide Inc., told Reuters when speaking of the current data theft. He did not indicate when other attacks had taken place or even how many might have breached the company’s security.

To be safe, he said, every Monster.com user should assume that  their contact information has been stolen. In the email sent to all Monster.com users on Friday, they state:

Due to the significant amount of uncertainty in determining which individual job seekers may have been impacted, Monster felt that it was in your best interest to take the precautionary steps of reaching out to you and all Monster job seekers regarding this issue.

Users received this letter on August 31st, 14 days after Monster.com was notified of the attack. How many users had already received a phishing email bearing their name before they were even notified of the possibility?

The kicker is that it was not only Monster.com user data that was stolen. Turns out that Monster Worldwide is the technology provider for USAJobs.gov, the official job search site for the federal government, and the server that was cracked also housed their data. 146,000 USAJobs record were also stolen in the melee.

In the face of all this, Monster has promised their users they are stepping up surveillance of site traffic, and boosting its security staff. They explain it like this:

Monster has launched a series of initiatives to enhance and to protect the information you have entrusted to us. Some of these steps are being immediately implemented, while others will be put into place as appropriate.

On the other hand they are claiming that they cannot keep this from happening again. “I want to be clear and I want to be frank: there is no guaranteed fix,” Iannuzzi said in the Reuters article. “I wish I could say … there will be absolutely no way that the Monster site can be compromised. I cannot ever make that promise, and no Internet company can.”

Monster.com needs a new security advisor. Data can be protected, split up, or encrypted so that large dumps of complete data are just not possible. Not only did these hackers get emails, these hackers got email addresses with the names attached. These scammers will now be able to send a personalized email, making the probability that they will fool people skyrocket.

Monster.com has really treated this as ‘oh, its not like they got bank account numbers, and phishing happens all the time”. Yes, but phishing attacks that are able to use a person’s name with an email address are highly effective. Just because they happen all the time, doesn’t mean users don’t want to know when they do.

What Monster.com does not seem to understand is that the users that are mad about this are not so much mad that it happened, but mad at Monster.com’s slow lackadaisical response to the problem.

Related:

Entry was posted on Saturday, September 1st, 2007 at 8:29 am under Scams, Spam.

Read more entries by Ema Kwiatkowski.
Stumble It!