Monster.com Breach (Again!): Evolution of a Disclosure Letter
Monster.com has been forced to disclose another data security breach. With each incident, the language and tone of the disclosure note has changed. Here's how, and what it means.
» View Article
Monster.com Breach (Again!): Evolution of a Disclosure Letter
Monster.com has been forced to disclose another data security breach. With each incident, the language and tone of the disclosure note has changed. Here's how, and what it means.
» View Article
Bob Blakley, an analyst with Burton Group, got in touch with us after the article was published. Here are his observations:
To me the disclosure letters seem pretty similar; what I really want to know is whether Monster has improved the correspondence between the text of the disclosure letters and objective reality. To me this would be the definition of "improving the letter". I'm not sure there's really much transparency or sincerity showing in either letter, to be frank. The security of the Monster system is clearly still not adequate. The current letter at least acknowledges that customers shouldn't necessarily expect better performance from them in the future. But the last paragraph of the current letter ("while no company can completely prevent unauthorized access to data, Monster believes that by reaching out to job seekers, the company can help users better defend themselves against similar attacks") is really disturbing; my paraphrase is "we've given up trying to protect your data; we hope you can do it better". Why would I give any data to a company with this attitude?
With the recent infection of Windows-based devices in the millions this past week, an *average* global infection rate at 98%, coupled with the largest data breach we've seen to date with Heartland (American Express, Discover, MC, VISA, etc. processing hundreds of millions of transactions from hundreds of thousands of establishments) it is the third such mass strike in a two-week window.
That is just a mere visual observation of the "global state of security". Not to sound so doom and gloom. Facts. Scan your security breach news. Find them all and head to your nearest Valium bottle.
We are entirely at fault in the end user computing education of the security spectrum. Those of us that built this very infrastructure and were initially bound to command lines and amazed at Motif. We enabled the end user and skipped the driving lesson.
-- there is no difference in handing a toddler the keys to a Porsche and putting them behind the wheel during rush hour on a freeway -- and -- a novice user connecting via Wi-Fi at every free spot with bluetooth enabled on their smartphone using their brand new laptop (or Mac) IM'ing and P2P'ing their latest iTunes.
Simply, everyone is a hop away or a port away from a prisoner, a malicious foreigner, a deviant, etc. There's no real electronic prison for the bad guys on a day-to-day basis.
Users are so conditioned to click OK and Next, that malware is clicked and installed. Definition files go without updates; patches not applied to the OS; visiting any and every website without ever tweaking the Security settings... this could go on infinitely.
I have witnessed this, sadly enough.
It's time for a "PC Health Clinic" and unified info security industry / global alignment because the endpoints, as zombies attacking our networks and vomiting identities by the millions sure isn't helping.
Imagine being on the other end of the breach. Security is a pricey, pricey afterthought in each and every IT infrastructure. It touches everything and everywhere. People see security as a pain in the ass as opposed to saving their ass. And having a BUDGET in *this* economy? Ha! I am not defending a repeated breach; perhaps industry infosec reputed vendors provide a "security bailout" to all of the major Big Six employment job seeking sites and do some pro bono work. Good old fashioned Good Will to the people who have been hardest hit and are truly the lowest common denominator as computer usage. C'mon, give peace a chance.
Disclosure letter, what disclosure letter? I don't recall getting one. If I have to log on to a site to see that my information has been hacked what use is that?
As far as I'm concerned Monster has failed it's obligations to it's customers. I'm sure thay spent a lot of time redesigning that horrible new interface, seems that they could have better used that time and energy to make the product more secure.
As with the previous poster...
Disclosure letter?
I was not notified by either. If it was an email, it could have easily landed in the Spam bucket.
"Letter" implies surface mail....
I suppose we are to believe they knew exactly what addresses and information had been compromised ???
What is this, "MonsterGate"
Dirty Tricks: Social Engineers' Favorite Pickup Lines
Tabletop Exercises: 3 Sample Scenarios
19 Ways to Build Physical Security Into Your Data Center
Get instant notifications when whitepapers, webcasts and case studies are added to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
» More blogs
CSO Perspectives
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
Trend Micro ranked #1 against real-world malware. Read more.
64-page prescriptive guide to security, compliance, and IT operations.
Removing Barriers To Better Server Virtualization Efficiency
Mining for Gold: Cybercrime Prevention and the Role of Log Management
The Executive Guide to Data Loss Prevention
Organizations can spend up to 50% more on compliance efforts than necessary.
White Paper: A Security Blueprint Delivered From within the Network
Read the RSA report: Security for Business Innovation
Upgrading to VMware vSphere with vWire
Explore the increasing importance of log management as cybercrime threats grow.
The Tripwire HIPAA Solution: Meeting the Security Standards Set Forth in Section 164
Implementing Best Practices for Web 2.0 Security
Five Ways to Reduce Your IT Audit Burden
THE IDG NETWORK