Loss of Privacy

Monster.com was attacked again and their database breached.  A similar incident occurred in 2007.  Back then, the company said they would make the site more secure and they would take security much more seriously.  Their new and improved security was breached a few months later, proving that security appears to be just lip service at Monster.com.

“This remote server held over 1.6 million entries with personal information belonging to several hundred thousands of candidates, mainly based in the US, who had posted their resumes to the Monster.com website,” reported Symantec.

Symantec said it had seen reports of phishing e-mails sent out to Monster.com users which were “very realistic” and contained “personal information of the victims”.

The e-mail encouraged users to download a Monster Job Seeker Tool, which was in fact a program that encrypted files in their computer and left a ransom note demanding money for their decryption.

The program used to access Monster.com user data was a Trojan, which are commonly used to gain access to bank details, usernames and passwords.

Monster.com will also not be sending out emails to users to know of the breach, despite the fact that this is illegal in most states.  Instead, there is a small security update on the site’s main page.  It’s also easy to miss.

Though the company is offering help, there’s little to be done by users who don’t keep their software up to date and IT administrators who haven’t kept up with the latest reports of attacks or tried to actually make the site more secure.

One major way they could have made the site more secure is by using simple password security.  If you happen to use the account on a public terminal and forget to log out, anyone can go back into your account and change your password to a new one.  There is no prompt for you to type in your old password before creating a new one.  Passwords are also not encrypted.  These are the basics of security and Monster.com continues to fail at them miserably.

My advice is to go and log into your account, if you have one.  Delete your resume and cover letter.  Then, change your password to some random alpha-numeric string.  Then, cancel your account and explain to Monster.com that three breaches of security in less than two years is completely unacceptable.  Also explain that not notifying its customers of the breach, not taking responsibility, and, in general, the overall decline in usability are the reasons they have lost you as a customer.  Incompetence and a lack of integrity are what got Monster.com into this mess.  It’s the reason why you should be leaving Monster.com as well.

While everyone agrees that USB drives should be encrypted, you’d be hard-pressed to find anyone who thinks attaching the password to the USB drive is a good idea; until now.

If you are, or were, a patient at Preston Prison in Lancashire, there’s a good chance that your medical records are out in the open.  The USB drive went missing on 30 December 2008 and has yet to be found.

The stick may have contained information of up to 6,360 patients. However, in some cases, individual patients had more than one entry.

The information included prisoners’ surnames, prison number, cell location, age range, prison clinic appointment times and references to medical conditions such as asthma, diabetes, mental health and even sexual health references.

Health chiefs have apologised for the breach and have taken urgent action to prevent it happening again.

“Even though there is no risk to anyone’s ongoing treatment or care, we have plans in place to contact those affected to inform them of the breach and apologise.”

Uh, this happened two weeks ago and you still haven’t contacted those who may be affected?

Anyone with concerns should contact the PCT’s confidential information line on: 0845 609 9866. It is open 9am to 5pm seven day’s a week until January 23, 2009.

Because after the 23rd, the police will go back to not caring about this problem anymore.

You might be thinking, “Who cares, they’re just prisoners and the information was lost somewhere in the prison,” but what you aren’t thinking about is that this isn’t the first time something like this has happened.  The British government seems to have a habit of losing the private data on all of its citizens, from baby to adult, law-abiding to prisoner.  The USB drive was also lost in a place full of criminals.  Do you really think that anyone, prisoner or guard, isn’t going to be tempted to take this information and sell it?  How likely is it that it’s going to turn up anytime soon?  I believe that it would have already happened if an honest person had found it.

This is a huge problem that the British government doesn’t seem to care to fix.  Because it happened to prisoners, they seem to care even less.  Just remember, your private, personal information is only as secure as the idiot carrying it.