Monster.com is a popular employment website that contains a huge database of resumes. The platform is trusted by billions of people around the world. However, it seems like such big recruitment sites are evenly susceptible to data breaches.
Recently a security researcher spotted a vulnerability in a web server that contained the resumes of many. Unfortunately, Monster.com was one of those platforms that were affected as a result of this vulnerability. The reports suggest that the server had resumes of job seekers between 2014 and 2017. It is obvious that the exposed server leaked some important information related to those job seekers including addresses, phone numbers, past work experience, and email addresses.
Although Monster.com never collects immigration details, this information was leaked in the exposed files as well. The authorities were quick to take necessary actions and removed the exposed server. However, the malicious actors can still access these resumes with the help of caches of search engine.
According to Monster, this server belonged to a third-party recruitment agency and the company is no longer working with them. The recruitment site declined to share any details related to the recruitment agency. The worst thing about this situation is that the Monster.com didn’t inform users about the data breach in the first place. The company alerted its users after the security researcher reported it.
Data Collectors Should Alert Users About Breaches
We agree with the fact that Monster was itself not involved in the data breach. Still, this situation puts all the employment platforms under question about their data protection practices. We have seen many examples where third-parties were involved in exposing data.
Therefore, the data collectors are responsible for keeping an eye out on privileges of third-parties that have access to user data. They need to ensure that third parties comply with the cybersecurity policies of the platform. The privileges should be restricted to fit their role.
Considering the fact that Monster.com didn’t alert users itself, such companies should alert users about security breaches compromising their personal data. The impact of these incidents might leave a negative impact on users in case of denial. There is no legal obligation on these companies to alert the users and regulators about such incidents. However, it is considered a moral practice to inform users about the same.