Monster job applicants information exposed due to unprotected server

• The exposed server contained hundreds of resumes, CVs and other files from job applicants who applied for jobs between 2014 and 2017.
• Monster said that the unprotected server belongs to a recruitment company that was a customer of Monster.com and other recruitment sites.

What is the problem?

The personal information of job applicants from the job recruitment site Monster was exposed due to a misconfigured server that was publicly accessible without any authentication. As per a statement from Monster, the server was operated by one of its customers.

What was exposed?

The exposed server contained hundreds of resumes, CVs, and other files from job applicants who applied for jobs between 2014 and 2017.

• The resumes included personal information of the job applicants including phone numbers, email addresses, home addresses, and work history.
• The other files found on the exposed server included immigration documentation for work, which Monster does not collect.

The big picture

Monster said that the unprotected server belongs to a recruitment company that was a customer of Monster.com and other recruitment sites. The job recruitment site added that it no longer works with the recruitment customer.

• A security researcher who discovered the leaky server alerted Monster’s security team about the data leak in August 2019.
• Upon learning about the incident, it notified the recruitment company of the issue and secured the server.

Monster said that it is unable to determine the impacted users as the exposure occurred on a customer system. Furthermore, the job recruitment site did not notify its users about the exposure stating that customers are the owners of this database and they’re responsible for notifying the impacted users.

“Customers that purchase access to Monster’s data — candidate résumés and CVs — become the owners of the data and are responsible for maintaining its security. Because customers are the owners of this data, they are solely responsible for notifications to affected parties in the event of a breach of a customer’s database,” Monster said, TechCrunch reported.