A security researcher has discovered an exposed web server online which contained resumes of job seekers from the recruitment site Monster.
After further inspection, resumes and CVs for job applicants from 2014 to 2017 were found on the server, many of which included private information such as phone numbers, home addresses, email addresses and even applicants’ prior work experience.
At this time, it is still unclear as to how many files were exposed on the server but to put things in perspective, just one folder from May of 2017 contained thousands of resumes. In addition to resumes, immigration documentation for work, which Monster does not collect, was also discovered on the exposed server.
According to a statement from Monster’s chief privacy officer Michael Jones, the server is not owned by the company itself and instead it belongs to an unnamed recruitment customer which the firm no longer works with. However, Monster did not provide the name of the recruitment customer when pressed by TechCrunch.
After Monster was informed of the data leak, it notified the recruitment company regarding the issue and the exposed server has now been secured.
However, while the data is no longer directly accessible from the exposed server, hundreds of resumes and other documents submitted by job seekers can still be found in search engines’ cached results.
Since it was a third party and not Monster who exposed the data, the company did not warn its users that their data had been exposed online. In fact, the company only admitted user data had been exposed after the security researcher who discovered the server informed TechCrunch of the matter.
Monster tried to deflect responsibility for the data leak in a statement, saying:
“Customers that purchase access to Monster’s data — candidate résumés and CVs — become the owners of the data and are responsible for maintaining its security. Because customers are the owners of this data, they are solely responsible for notifications to affected parties in the event of a breach of a customer’s database.”
While Monster was not obligated to report the data leak to regulators, other companies have begun to proactively warn their users in situations where third parties are involved.