Recently, Monster.com had a security breach. You might have heard about it from various media sources (Monster attack steals user data article from BBC News). This breach of security resulted in people getting e-mails about their Monster accounts, asking them to download a trojan program in order to keep their access to the site. I'm not entirely sure what the breadth of the problem was, but it became clear to me that Monster wasn't being proactive in letting people know about the problem. Since my Monster account has laid dormant for a while, and I received few, if any, job queries through their system, I figured I'd send them a message by canceling my account. I initiated the process online to cancel the account:
Please cancel my Monster account promptly. I am no longer interested in working with your company after the inactivity during the most recently security breach. Please _do not_ direct me to the phone number. Please cancel the account.
The next morning, I received the following from their customer support:
Thank you for contacting Monster Customer Central.
Craig, I understand from your email that you wish to cancel your MyMonster account and remove your resume from the Monster.com database. As for now I have deactivated your My Monster account because I would like you to know few advantages of deactivating your account which you can have over deleting it completely: ...
The rest of the e-mail stated reasons why I should reconsider my account deletion. Unswayed, I pressed on:
The requested information is:
(the information he asked for, so I could prove I was me. Honestly, it was all in the account anyway, so this seemed quite silly)
I understand that I will be giving up the benefits of a Monster account,
and in light of the companies recent events, I'm willing to take that
Thank you very much for the quick deactivation of my account!
Only then, in a return e-mail did I learn what steps they were taking to resolve the issue. I won't re-print the note from the technician for the sake of brevity alone, but the official stance of the company is here: Security Center: Expert advice on avoiding online fraud | Monster.com
Basically, they understand the threat, but would like to assure me that the breach was for generic information (ie: what you could get in a standard phone book). I'm not particularly aware of a phone book that lists my e-mail address, but maybe things are different where they are.
Unfortunately, I don't buy it. Here's my latest response:
Thank you for the response. I am still looking to cancel my account. It's not a question of severity (I read the reports on other sites, and was aware it wasn't an identity theft issue) but of how this was handled by Monster. I should have received something - anything - from the company about the depth of this breach, what it meant, and how to prevent falling into its trap. To date, the only time I received information about this breach was because I asked to cancel my account. That to me is a serious breach of customer trust.
The company may look at this as a small incident (indeed, the data that was likely pilfered was data commonly available in the phone book) but the data set is that of people who are looking for work. These people are in some cases quite desperate for work, so keeping their accounts intact is a priority. By exploiting their desperation, the people who pilfered the data from your servers could get these customers to go to some extreme measures in order to protect their accounts. What on the surface looks like a breach of nothing more than addresses, phone numbers, and e-mail addresses, can turn into a serious identity theft problem. If someone posed as a recruiter working through Monster, they could quite easily get more trusted information like social security numbers, bank account numbers, and much more. Plus, if they had access to resumes (which I'm not sure if they did or didn't) they have a complete work-history of the person. This could also be used for social engineering ("Hi, I'm with your old employer. We need some more information") or other nefarious purposes.
Had I received a mail like the one I received with this latest response, with detailed information about the intrusion, what the company was doing to rectify it, and what I could do or expect in the meantime, I would have been satisfied. Unfortunately that note came when my mind had been made up about the company and it's ineffectiveness to protect my data. Thus, to send a small signal to your upper management that they screwed up, and should be more proactive in the future, I would like to ask you to cancel my account.
Please cancel my account.
Thank you for all of your help, _________. I wish you the best in the
We'll see what happens.
Companies need to realize that even small breaches could have larger consequences. Sure, what may have been pilfered was nothing more than contact information, but knowing the source of that information could be invaluable to someone with ulterior motives. Just because a company lacks creativity in thinking like a criminal doesn't mean the criminals lack that creativity. The customers needed to be aware of the problem when it happened. Had the media not jumped on this, Monster might have slipped under the radar. Fortunately the media did jump, and Monster didn't respond properly.
Sure, I'm not upset over canceling my useless Monster account (I really didn't care about it, and the information in there was pretty old) but I know people who do use these accounts, and are relying on them for their next job. Monster needs to learn quickly that the data they house is precious to those job seekers, and needs to learn that when they have been compromised, it is their solemn duty to let people know what happened, what was affected, and how to protect themselves. If Monster is not up to the challenge of these fundamental duties, then they no longer can be trusted. Losing customer trust is the death of any company.
I'll let you know if the account cancellation is successful.