Monster.com hit by personal data attack

US recruitment firm Monster.com has been hit by an attack that has compromised over 1.6 million pieces of information, including personal data. The attack follows warnings that recruitment sites are a rich target for identity thieves.

The employers' section of the recruitment website has been broken into by a program which then harvested 1.6 million pieces of information and stored them somewhere the people behind the hack could access them, according to security firm Symantec.

Some Monster users have received emails pretending to be from Monster which encourage them to download software they say is a recruitment tool. It is in fact malicious software which encrypts the information on their computers and demands a ransom for it to be unlocked.

Symantec said that the same hacker group may be behind both sets of activity. "We have informed Monster.com of the compromised Recruiter accounts so they can be disabled," said Symantec's exposure of the problems.

"To protect your identity when using recruitment sites, or at least limit your exposure to identity theft, you should limit the contact information you post on these sites, use a separate disposable email address and never disclose sensitive details such as your Social Security number, passport or driver’s license numbers, bank account information, etc to prospective employers until you have established they are legitimate," said Symantec.

Monster itself recently warned that recruitment websites were prime targets for identity theft because of the wealth of biographical and bureaucratic information contained on CVs. It teamed up with security consultancy Cyveillance to warn site users that they should be vigilant about giving out their data.

In the UK, the Information Commissioner's Office (ICO) has also warned that the recruitment industry is a rich target for ID thieves. It warned that half of recruiters were not registered with it as data controllers, which they ought to be by law.

The ICO advises in its Employment Practices Data Protection Code that job applications and the information contained in them should be sent and stored securely. "Ensure that a secure method of transmission is used for sending applications online (e.g. encryption-based software)," says the Code. "Ensure that once electronic applications are received, they are saved in a directory or drive which has access limited to those involved in the recruitment process."

Symantec said that the program which broke into Monster.com did so by pretending to be an employer. "The Trojan appears to be using the (probably stolen) credentials of a number of recruiters to login to the website and perform searches for resumes of candidates located in certain countries or working in certain fields," said Symantec in a blog about the vulnerability.

"The personal details of those candidates, such as name, surname, email address, country, home address, work/mobile/home phone numbers and resume ID, are then uploaded to a remote server under the control of the attackers," it said. "This remote server held over 1.6 million entries with personal information belonging to several hundred thousands candidates, mainly based in the US, who had posted their resumes to the Monster.com web site."

A Monster spokesman told the BBC that the incident did not involve especially personal information. "We are not aware of any cases of identity theft. In fact, the information that is gathered from Monster is no different than that displayed in a phone book," said Patrick Manzo, vice president of fraud prevention and compliance at Monster.