“It is a scary situation,” says Mark Mehler, principal at CareerXroads. “There could be wide implications for anybody who has a Web presence.”
A portion of Monster’s Web site—Monster Company Boulevard, which hosts profiles of employers—was hacked November 19, according to Steve Sylven, public relations manager for the Maynard, Massachusetts-based job board. He did not disclose how many Monster visitors were involved in the incident, though the company believes it was a small percentage.
The November hacking, which involved brand names such as Best Buy, Eddie Bauer and Toyota Financial Services, follows the well-publicized attack in August in which hackers broke into Monster’s database and stole the records of more than 1 million users.
The recent assault didn’t target the Monster database; instead, it was what experts refer to as an IFrame exploit. Job seekers viewing employer profiles on Monster were unknowingly redirected to another server, leaving some users vulnerable to hackers, says Roger Thompson of Exploit Prevention Labs, a New Kingstown, Pennsylvania, company that offers products and services to prevent Web-based security breaches.
Given Monster’s association with applicant tracking systems and corporate Web sites, some HR experts wonder whether hackers will eventually use the job board to gain entry elsewhere. Monster, applicant tracking platforms and employer sites sometimes work together to process job candidate information.
“Anything is possible,” Thompson says. “Hackers are always inventing new ways to cause harm.”
He notes that Monster and other job boards, because they are such high-profile, well-known, highly visited Web sites, are more prone to attacks.
Mehler says the HR community shouldn’t take any chances with such threats. He suggests IT specialists revisit the company’s online recruiting packages to check security.
Michael George, product evangelist at Vurv, says the company has not heard of concerns pertaining to hackers from any of its ATS customers. He doubts that hackers would target Vurv itself because it is a niche company that is most likely off their radar.
George concedes there is no such thing as being 100 percent impenetrable to hackers, and that the company is constantly on guard.
“The amount of security we use to protect proprietary information is staggering,” he says. “We are very committed to security.”
Being cautious with sensitive information should be a priority for everybody involved in talent acquisition, says Peter Weddle, CEO of recruiting consultancy Weddle’s. He also chairs the International Association of Employment Web Sites.
“We only hear about Monster because it is high profile,” he says. “But the truth is, hackers threaten the very existence of all online activity because they inflict fear onto the public at large.”
The Web site association, which represents more than 40,000 employment sites, has assembled the IAEWS Working Group on Customer Privacy and Security. The committee’s primary goal will be to protect employers, third-party recruiters and job seekers from hacker assaults.
“It is an issue that everybody is concerned with,” Weddle says. “We need to address it.” There are eight members in the group, including job board giant CareerBuilder and job aggregator Crosspost.com.
Weddle says the committee has its work cut out, particularly since there is no single solution to resolve the problem. He says the cure will be a combination of inventing new technology to combat hackers as well as creating educational initiatives for customers.
“We need to teach users to be more savvy so they can recognize when something has gone awry while surfing the Internet,” he explains. “And we also need to encourage them to report strange activity so that we can clamp down on it early on.”
Weddle also credits Monster for taking swift action with the hacker attacks.
“They are taking the PR heat,” Weddle notes. “But they exercised good judgment and are being very responsible.”
Thompson of Exploit Prevention Labs says Monster was quick to respond.
“By the end of that day the situation was under control,” he says.
Thompson warns, however, that Monster is a prized target for hackers, primarily because it draws in millions of users seeking jobs. As such, these users tend to have their guard lowered and are willing to divulge personal information about themselves rather easily, making them ideal prey for hackers.
“These are innocent eyes going to Monster,” Thompson says. “They are unaware of the dangers that lurk.”