honoluluadvertiser.com

Sponsored by:

Comment, blog & share photos

Log in | Become a member
The Honolulu Advertiser
Posted on: Saturday, September 1, 2007

Monster.com breach will be costly

By Brian Bergstein
Associated Press Technology Writer

By now, the perils of securing online data with little more than user names and passwords should be well known. http://Monster.com learned that lesson late and the hard way, prompting this week's disclosure that the Web jobs board will spend millions of dollars to improve its security.

Monster Worldwide Inc. recently discovered that con artists had grabbed contact information from resumes for 1.3 million people — and likely many more, since Monster now says this was not an isolated incident. Files were pilfered not only from Monster.com but from USAJobs.gov, the federal government career-listing service operated by Monster.

The stolen information is not by itself ultra-sensitive, since resumes generally do not include Social Security numbers, financial data or account information.

But contact information can be lucrative for online criminals, who used what they got from Monster to craft "phishing" e-mails that go after such sensitive data.

After the Monster breach was disclosed by researchers at Symantec Corp., Monster pointed out that its network security had not been broken. No one hacked in, after all. Rather, the criminals obtained legitimate keys to the system — most likely by phishing or guessing passwords belonging to recruiters with access to Monster's tens of millions of resumes.

Yet the chance that someone would co-opt legitimate access to a network should itself have been considered a security flaw.

In one of the most infamous incidents, data-gathering giant ChoicePoint Inc. found in 2004 that criminals had posed as honest-to-goodness customers and filched information on 163,000 people. ChoicePoint ended up spending about $30 million fixing the situation, including $15 million to settle charges from the Federal Trade Commission that its standards were weak.

It's unclear how much of a hit Monster's breach will cause the company, which already has been struggling. A month ago it announced layoffs of 15 percent of its workforce. The stock is near 52-week lows, and a key finance executive just departed.

To respond, Monster has said it would spend at least $80 million on upgrades to its site, which now include security changes. Among them: closer monitoring of the site and limits on the way its data can be accessed.