Monster Mistakes

If a website collects, stores and processes detailed personal information on millions of people, you’d expect it to take security seriously.

Indeed, has “a full-time worldwide security team, which constantly monitors for both suspicious behaviour on our site and illicit use of information in our database”.

Unfortunately, this team (and monster will not disclose any details or even the number of people in the team), don’t appear to be very effective.

In 2007, hackers obtained 1.6million users details.  This was public and embarrassing, so you’d expect them to tighten their security and processes further.

Then in 2008, a further 1.6million records were stolen.  OK, so maybe it’s time to have another look at the way security is implemented at  Indeed, Monster themselves wrote:

“Monster has made, and will continue to make, a significant investment in enhancing data security, and we believe that Monster’s security measures are as, or more, robust than other sites in our industry”.

So, good.  Problem fixed right?

Er, no.  On 23rd January 2009 hackers again managed to steal yet more user data.  This time though, they’re not saying whose data has been breached.  No emails to users of Monster to make them aware that their employment history, address, date of birth, and education history are in the hands of ‘black hats‘.  Apparently monster are worried that an email to notify their clients will result in further phishing scams by the black hats using their email as a template.  Seriously, that’s what they said (more or less):

“Monster elected not to send e-mail notifications to avoid the risk those e-mails would be used as a template for phishing e-mails targeting our job seekers and customers. We believe placing a security notice on our site is the safest and most effective way to reach the broadest audience. As an additional precaution, we will be making mandatory password changes on our site. ”

So unlike ebay, Amazon, Itunes, and every other retailer or indeed bank, does not feel it can communicate a simple warning about the issue and the dangers of possible phishing scams.  Maybe a short “Sorry, we were hacked again – you’d better change all your passwords for other sites that are similar to the credentials we let slip” email is all they need to send, but send something they should.  I’d be interested to hear if they send out marketing emails still, or perhaps they’ve ‘gone dark’.  Faxes only from now on?

Luckily I don’t use, but if they’d lost my details, I’d prefer it if they let me know.

All of that sounds like a PR nightmare for, but how about this to ice the cake:  Users of monster that read about this issue, will likely attempt to change their password for that site a.s.a.p.  Many of those returning users will have forgotten the original password they used, and so will go through the ‘Forgotten Password’ route to reset it.  Remember that “full-time, worldwide security team”?  They don’t appear to have noticed that this password reset process sends the password in clear text (well spotted Richard).

Oh dear.

Add to FacebookAdd to NewsvineAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to Ma.gnoliaAdd to TechnoratiAdd to Furl

Microsoft to cut up to 5,000 jobs

The BBC have just reported that Microsoft are to cut up to 5,000 jobs.  This appears to be a pre-emptive strategy based on forecasted sales over the coming months.  Jobs are going from nearly all departments, and I wouldn’t be surprised if bonuses are capped and salaries fixed next.  This is becoming a common story, but very uncommon for Microsoft.  To quote from the BBC report:

“Richard Williams, an analyst at Cross Research, said: “Microsoft has never had a layoff like this in my knowledge, and it’s sending a signal that the times are definitely changing.””

They are also making cost cutting measures in other areas, and I’d love to know where.  They talk about reducing travel expenses, but I wonder if their IT budget is expecting a chop too.

Add to FacebookAdd to NewsvineAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to Ma.gnoliaAdd to TechnoratiAdd to Furl