Monster Security Worries Widen

The already serious data security problems at Internet job site Monster.com have become a federal case—literally.

Nearly 150,000 users of USAJobs.gov, the official federal government job site for which Monster provides technology, have been affected by malicious software that siphoned off their contact information. And Monster now says the data breach that affected 1.3 million job seekers with résumés posted on Monster.com wasn’t an isolated incident, and that “the scope of this illegal activity is impossible to pinpoint.”

The troubles at Monster, which include concerns about “phishing” spam attacks designed to blackmail job seekers or snag sensitive information, have raised new questions about the safety of online job hunting. And they raise concerns about other government services provided by Monster.

Monster subsidiary Military Advantage provides technology for TurboTAP.org, a U.S. Department of Defense Web site designed to help veterans and members of the National Guard and Reserve transition to civilian life.

A Monster representative could not be reached for comment.

In mid-August, computer security firm Symantec announced that a piece of malicious software known as a “Trojan” was trying to access Monster.com and uploading data to a remote computer. Monster said the contact information of approximately 1.3 million job seekers was contained on the rogue computer server, that the information on the computer was limited to names, addresses, phone numbers and e-mail addresses, and that Monster had shut down the computer.

Monster warned that the information appeared to have been gathered for the purpose of sending fake e-mails designed to persuade users to engage in financial transactions or lure them into downloading malicious software.

On August 27, the U.S. Office of Personnel Management said 146,000 subscribers to USAJobs.gov were affected in a data breach.

A security warning now on the USAJobs Web site reads: “Recently, malicious software, known as Infostealer.Monstres, was used to gain unauthorized access to the Monster.com résumé database to steal the contact information of job seekers. Monster Worldwide is the technology provider for the USAJobs Web site and, regrettably, some of the contact information captured came from USAJobs job seekers.”

It adds: “The information captured included name, address, telephone number and e-mail address. Monster Worldwide has assured the U.S. Office of Personnel Management that Social Security numbers were NOT compromised because of IT security shields USAJobs has in place.”

In a statement issue on August 31, Monster said it had sniffed out the trouble at USAJobs.com. “Monster is from time to time subject to illegal attempts to extract information from its database,” Monster said. “When suspicious activity has been detected on its site, Monster has disabled the customer login credentials involved, and contacted the employer-customer to discuss the suspicious activity. This was the case with the suspicious activity that affected USAJobs.com.”

Also last week, Monster said it was notifying all job seekers with an active résumé on Monster sites about preventative measures they can take to protect themselves from online fraud. And the company said it “will institute a comprehensive set of new systems and processes designed to enhance existing security and minimize such threats in the future.”

Even so, Monster has not answered some basic questions about how contact information for 1.3 million people ended up on a computer server in Ukraine. “Despite ongoing analysis,” the company said last week, “Monster cannot determine when that data was stolen or how many separate attacks that data represents.”