It seems Monster.com, the world’s largest job search engine, needs to hire a new sysadmin.
For the second time in 18 months, employment search site Monster.com has lost a wealth of personal data belonging to millions of job seekers after its database was illegally accessed.
In June 2008, the the Bank of New York (BNY) Mellon reported the loss of unencrypted tape sets containing details of 4,500,000 customers. Banks and civil servants generally seem oblivious to the importance of storing data in a form unaccessible to unauthorized parties. In the field of IT and database development, it is standard procedure to store user passwords as an irreversible encrypted string, such as NSA-released SHA hash functions; making it virtually impossible for hackers to decrypt the information.
In the case of Monster.com, the perpetrators could read all the user information except for the passwords; so they sent a phishing email inviting users to log on a fake Monster page, thus providing the cracker with the missing password. One solution to avoid this could have been storing email addresses using reversible encryption.
This story raises question about providing a lot of personal information to web sites (online mail, social networking, media storage and so on). Even if the company has a policy safeguarding the user’s privacy, all the confidental information is at risk if their servers are not properly secured.