Monster.com says a third party exposed user data but didn’t tell anyone

An exposed web server storing résumés of job seekers — including from recruitment site Monster — has been found online.

The server contained résumés and CVs for job applicants spanning 2014 and 2017, many of which included private information like phone numbers and home addresses, but also email addresses and a person’s prior work experience.

Of the documents we reviewed, most users were located in the United States.

It’s not known exactly how many files were exposed, but thousands of résumés were found in a single folder dated May 2017. Other files found on the exposed server included immigration documentation for work, which Monster does not collect.

A company statement attributed to Monster’s chief privacy officer Michael Jones said the server was owned by an unnamed recruitment customer, with which it no longer works. When pressed, the company declined to name the recruitment customer.

“The Monster Security Team was made aware of a possible exposure and notified the recruitment company of the issue,” the company said, adding the exposed server was secured shortly after it was reported in August.

Although the data is no longer accessible directly from the exposed web server, hundreds of résumés and other documents can be found in results cached by search engines.

But Monster did not warn users of the exposure, and only admitted user data was exposed after the security researcher alerted TechCrunch to the matter.

“Customers that purchase access to Monster’s data — candidate résumés and CVs — become the owners of the data and are responsible for maintaining its security,” the company said. “Because customers are the owners of this data, they are solely responsible for notifications to affected parties in the event of a breach of a customer’s database.”

Under local data breach notification laws, companies are obliged to inform state attorneys general where large numbers of users in their states are affected. Although Monster is not duty bound to disclose the exposure to regulators, some companies proactively warn their users even when third parties are involved.

It’s not uncommon for companies to warn their users of a third-party breach. Earlier this year after hackers siphoned off millions of credit cards from third-party payments processor American Medical Collection Agency, its customers — LabCorp and Quest Diagnostics — admitted to the security lapse.

Monster said that because the exposure happened on a customer system, Monster is “not in a position” to identify or confirm affected users.