Saturday, September 1, 2007

Lessons from the massive privacy breach at Monster.com

Last week’s massive security breach affecting Monster.com is a reminder of what is at stake as we all come to rely on web-based services for everything from shopping to dating to job searching. For those unfamiliar with the service, Monster.com is an international job search site, where employers can post job ads and employees can post their resumes and apply for positions. According to CRN Business:

The stolen data, which was found on a remote server and shut down by Monster.com this week, included users' names, addresses, phone numbers and e-mail addresses. Symantec security researchers first reported the incident last week, although it's still not clear when the breach first occurred.

The data was collected by the Trojan Infostealer.Monstres, which likely used stolen login credentials of legitimate employment recruiters to gain access to the site's resume database, according to a posting by Symantec researcher Amado Hidalgo on Symantec's Web site. The unsuspecting job seekers whose information was stolen then became the victims of various phishing e-mail scams attempting to empty their bank accounts.
Last week’s reports indicated that a staggering 1.3 million individuals’ data had been stolen, but Monster.com’s CEO Sal Iannuzzi is now saying that the breach is likely even larger:
To be safe, he said, all Monster.com users should assume that their contact information has been taken.
While Monster is assuring users that it is working to improve security on their site and contacting users about ways they can ensure their privacy, this is too little too late given that millions of users’ confidential data, including names, residential addresses, e-mail addresses, home telephone numbers, cell phone numbers and employment history have been stolen by individuals who have not been identified or arrested for purposes yet unknown. It is not yet known if any financial transaction data has been stolen.

Ianuzzi offers little comfort to Monster’s customers:
"I want to be clear and I want to be frank: There is no guaranteed fix," Iannuzzi said. "I wish I could say . . . there will be absolutely no way that the Monster site can be compromised. I cannot ever make that promise, and no Internet company can." (emphasis is mine).
This is a sobering reality check to all of us who share information and make transactions on the Web – that there are no iron-clad guarantees for the security of your data, financial or otherwise. It is up to individuals to stop and think before providing any personally identifiable information to access a service or conduct a transaction over the Internet.

Some ways you can reduce your risk:

1. When signing up for a Web service – anything from Facebook to Ticketmaster alerts to a blogging utility – how much personally identifiable information are you required to provide? How important is the service to you when weighed against the risk of your personal data being stolen or unlawfully accessed?

2. Could you access this service in another way? For example, is it possible to apply for a job by e-mailing the employer directly, rather than uploading all of your application data to a Web service?

3. When you are making an on-line purchase, be sure the vendor is providing a secure means of making the transaction – look for the https:// prefix in the URL (e.g. https:// www.abc.com). You should see a lock box on your screen if the site is secure.

4. Make sure you run anti-virus software regularly to ensure that key sniffers are not at work on your computer. Because you cannot be assured that this is happening in libraries and internet cafes, don’t access your on-line banking service or make financial transactions on public Internet computers.

5. If you are using a wireless Internet connection, secure it to ensure that no one can access your computer.

6. When making a transaction online, always decline the option for the service to retain your credit card information. The inconvenience of re-keying this information is not worth the risk of a data breach.

7. Vote with your feet and with your money. Don't support companies or services that aren't taking data security seriously. If you have a concern about the amount of personal data you are required to provide in order to access a service, don't go ahead with the transaction. Write the companies and let them know your concerns. Read their privacy policy thoroughly.

Unfortunately, even using these precautions will not eliminate your risk. A few months ago, I wrote about how in-person shoppers at TJ Maxx stores had their credit card information stolen because the company’s databases were breached and they retained the data far longer than required to support the transaction. Regulations to protect consumers are lagging and differ from country to country and within state and provincial jurisdictions. Many companies are lax in protecting consumers and do not provide the level of I.T. support required to secure data.

Most of us wouldn’t leave our houses without locking the doors, but we can so easily become complacent about the amount and type of personal information we share in our day-to-day activities.
Always ask yourself: is the convenience worth the potential risk?

6 comments:

saboma said...

Great post, Sharon!

I had a keylogger actually given to me from a person I had thought of as a good friend. I've since learned that it isn't a good thing for me to think. Ultimately, I had to report him to the FBI moreso because this "relationship" was an international relationship. Once I rid my computer of the keylogger I felt like I had been raped. It took me 6 hours to get rid of it. Plus I had to change passwords and stuff, too, so it was over 6 hours of grief.

I'm really glad to meet you, Sharon. I have you in my Google Reader with the rest of me friends, minus that one schmuck a roo I just mentioned.

Sharon E. Herbert said...

I'm so sorry that you had this terrible experience, Saboma; it must have been awful. Thank you for sharing it with me and my readers and hopefully it will help prevent others from having the same experience.

It's great to meet you too, and thank you for reading!

Mike Scott said...

That sure was a big breach. I had read that the thieves were contacting some of the victims with a legitimate sounding offer, which was really just money laundering.

Here is that story.

Great story, and thanks for the link in your "Links" section Sharon.

Sharon E. Herbert said...

Thanks for the link with more background on this story, Mike - much appreciated. Really enjoy your blog!

Bob Johnson said...

Excellent post, thanks!

Sneezy Melon said...

I really like your writing style. I landed here through Google and dunno why I've never heard of this news before. This surely brings some concerns. Somedays back, even Vodafone India's website was hacked. Anyways, keep up the good work.
--
Sneezy Melon
(http://sneezymelon.blogspot.com)