An outspoken web server saving résumés of job seekers — involving from recruitment site Monster — has been available online.
The server consisted of résumés and CVs for job applicants ranging between 2014 and 2017, many of which involved private information like contact numbers and home addresses, along with email addresses and a person’s previous work experience.
Of the documents we saw, most users were located in the United States.
It is not known exactly how many a number of files were out, but many résumés were discovered in a single folder dated as of May 2017. Other files discovered on the exposed server involved immigration documentation for work, which Monster does not get.
A company statement attributed to Michael Jones, Monster’s chief privacy officer said that the server was held by an unknown recruitment customer, with which it no longer operates. When pressed, the company rejects to name the recruitment customer.
The company said that The Monster Security Team was made the realization of possible exposure and notified the recruitment company about the issue. Adding the exposed server was saved shortly after it was reported in August.
Although the data is not accessible anymore directly from the unprotected web server, hundreds of résumés and other documents can be seen in results cached by search engines.
But Monster did not notify users of the exposure, and only accepted user data was exposed after the security researcher alerted TechCrunch to the issue.
The company said that the customers that purchased access to Monster’s data — candidate résumés and CVs — became the owners of the data and are responsible for maintaining its security because customers are the owners of their data, they are completely responsible for notifications to affected parties in the context of a breach of a customer’s database.