Third-Party Server Has Been Leaking Your Personal Résumé Data for Years

A server storing an unknown number of résumés and CVs has been leaking private data for years. Affected sites include the massive catch-all job seeker platform, with data having been exposed from at least 2014 through 2017.

TechCrunch first reported on this issue, and says “It’s not known exactly how many files were exposed, but thousands of résumés were found in a single folder dated May 2017.” Though Monster was affected, its Chief Privacy Officer Michael Jones says the company didn’t own the server. Jones claims the server was owned by a recruitment company, which they refuse to name, saying they are “not in a position” to do so.

Monster also offered the following:

Customers that purchase access to Monster’s data – candidate résumés and CVs – become the owners of the data and are responsible for maintaining its security. Because customers are the owners of this data, they are solely responsible for notifications to affected parties in the event of a breach of a customer’s database.

Monster also claims after the unsecured server was reported to it, the company responsible was notified, and the server was secured in late August.

Curiously, this server seemed to house a lot more than your average résumé. The report says it also housed immigration documents for work, which Monster doesn’t collect.

This is troubling for a variety of reasons. First, we have no idea how widespread this data leak is. One file containing “thousands” of résumés and CVs is jarring – even more so because we don’t know if it’s one of many. Monster wasn’t clear about how much data an outside company can purchase access to: did it scrape Monster’s entire database? Is that even possible?

If this single file with thousands of résumés was itself on of thousands of files, this leak could be intense. We give up a lot of personal information on résumés. Worse than a server being left unsecured is not knowing who had access to it; TechCrunch says the server was “found online,” but didn’t note how it was able to discover the server.

Like all data breaches, assume your use of the service means you’ve been compromised.

2 Responses to “Third-Party Server Has Been Leaking Your Personal Résumé Data for Years”

  1. I see that the question has been thrown out there by politicians to regulate and break-up high-tech companies i.e. Google, Facebook, Amazon, and Apple.

    They seem to think that Amazon needs to sell-off their grocery store chain, nevermind that it would destroy the new experiment going on with the idea of a cashierless shopping experience for groceries. What it would mean is taking away the test platform, which isn’t very smart.

    They don’t say anything about the train-wreck spyware that is disguised as Microsoft Windows 10. As a dyed-in-the-wool Windows programmer, it has convinced me that the only thing to migrate over to is basic Linux. Nothing else has the support available for the existing hardware base. Yes, I know, Linux on the desktop has failed repeatedly. But that doesn’t change the problems over at Microsoft, and it’s only going to get worse.

    That there is a resume leak associated with Monster is apalling. That it is on some server owned by a ‘customer’ is an excuse to not own up to the issue and be responsible, the typical reaction from any company found to be leaking customer information.

  2. This article is spot on. I have had foreign recruiters emailing me and calling for years now. I can’t stop it. I know it is from a data breach because I used a specific email address for my resume that I only listed with monster. When I heard about the breach years ago, I closed out the account. Unfortunately, the resume listed my phone number as well. But now I know to ask what address they have for me when recruiters call. Then I know these are bottom feeders and I tell them no thanks.