What is the problem?
The personal information of job applicants from the job recruitment site Monster was exposed due to a misconfigured server that was publicly accessible without any authentication. As per a statement from Monster, the server was operated by one of its customers.
What was exposed?
The exposed server contained hundreds of resumes, CVs, and other files from job applicants who applied for jobs between 2014 and 2017.
The big picture
Monster said that the unprotected server belongs to a recruitment company that was a customer of Monster.com and other recruitment sites. The job recruitment site added that it no longer works with the recruitment customer.
Monster said that it is unable to determine the impacted users as the exposure occurred on a customer system. Furthermore, the job recruitment site did not notify its users about the exposure stating that customers are the owners of this database and they’re responsible for notifying the impacted users.
“Customers that purchase access to Monster’s data — candidate résumés and CVs — become the owners of the data and are responsible for maintaining its security. Because customers are the owners of this data, they are solely responsible for notifications to affected parties in the event of a breach of a customer’s database,” Monster said, TechCrunch reported.