By Elinor Mills, 27 January 2009 11:09
NEWS
User information, including passwords, has been stolen from job site Monster, the company has announced.
Monster's database of user account information - which includes user IDs, passwords, email addresses, names, phone numbers, and some demographic data - was illegally accessed and information was taken, the company said on Friday.
Security A to Z
From antivirus to zero-day, click here for silicon.com's alphabetical guide to security. 
The information that was stolen did not include CVs or sensitive information like social security numbers and financial data. But someone could use the data that was breached to contact Monster users and use social engineering to trick them out of their information.
Monster is urging its users to visit the site and change their password. As a matter of policy, Monster does not send unsolicited email asking users to confirm usernames and passwords or to download anything.
Job sites are a likely target during an economic downturn, security company AppRiver said in a recent report on spam and other internet security threats.
More information on security tips is available on the Monster security web page.
Comments
There is 1 comment. Join the discussion
1. Mike Small
This attack reinforces the need for organizations holding personal data to be extremely careful about the security of their servers and databases and re-assess access procedures.
First, much organisational information is held in an unstructured form (spreadsheets, word document and presentations). While platforms and applications provide control of what can be accessed based on its label, much sensitive data can only be identified by its content: platform/application security does not control what can be done with legitimately accessed data. Recruitment sites are a mine of personal and employment details that could be repurposed for phishing attacks at a later date.
Second, powerful “administrator accounts” - needed by any organisation to perform essential administration – which can bypass normal access controls to read application data and changing log entries, are most often the target of hackers and ‘root kits’ – they must be subject to agreed policy and controls. As the complexity of IT infrastructures increases, organisations must not lose sight of the importance of internal security procedures. It is imperative to become conscious of internal threat, especially the power of the administrator and potential consequences.
Ultimately decisions surrounding access to data should not be made solely by the IT administrator; administrator privileges are a wider business issue that need to be tackled by senior management – spanning CEO’s office and IT and HR departments - with access privileges and entitlements taken away from manual check and turned into agreed, and ultimately automated processes.