Monster.com Breach: Evolution of a Disclosure Letter

When Monster.com suffered a data breach last year, two disclosure letters went out to customers -- one from Monster itself and another from US AJOBS, a federal employment organization that relied on Monster.com databases for its job listings. Though they covered the same breach, each letter was starkly different.

Monster.com reports theft of user data

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

When Monster.com suffered a data breach last year, two disclosure letters went out to customers -- one from Monster itself and another from US AJOBS, a federal employment organization that relied on Monster.com databases for its job listings. Though they covered the same breach, each letter was starkly different.

Monster.com reports theft of user data

Fast-forward to Jan. 23, 2009. The job search company has suffered another data breach and fired off a letter warning its customers. Comparing this letter to the last two shows Monster still trying to find the best way to tell people their trust -- and private data -- has been violated.

Last year, CSOonline.com asked a couple public relations specialists to review the Monster and US AJOBS letters and interpret the language of each. You can read both letters side by side along with the experts' commentary in The Dos and Don'ts of Disclosure Letters. Naturally, we've decided to put the latest letter ( available here on Monster's site) under the microscope again.

The letter reviewer this time is Roger Nebel, director of strategic security for Washington D.C.-based FTI Consulting. Nebel's specialty is going into companies that have suffered catastrophic breaches to do a post-mortem on how the incident was handled, from the technological controls and people policies to the structure of the disclosure letter.

In the big picture, he says the letter is adequate: Not bad, but could be better.

Before reading Nebel's two cents, let's compare each letter, where huge differences are evident from the opening lines.

Here's the opening paragraph to Monster's letter from last year's breach:

"Protecting the job seekers who use our website is a top priority, and we value the trust you place in Monster. Regrettably, opportunistic criminals are increasingly using the Internet for illegitimate purposes. As is the case with many companies that maintain large databases of information, Monster is from time to time subject to attempts to illegally extract information from its database. As you may be aware, the Monster resume database was recently the target of malicious activity that involved the illegal downloading of information such as names, addresses, phone numbers, and email addresses for some of our job seekers with resumes posted on Monster sites. Monster responded to this specific incident by conducting a comprehensive review of internal processes and procedures, notified those job seekers that their contact records had been downloaded illegally, and shut down a rogue server that was hosting these records."

Here's the opening in US AJOBS's letter regarding the same incident:

"Recently, malicious software, known as Infostealer.Monstres, was used to gain unauthorized access to the Monster.com resume database to steal the contact information of job seekers. Monster Worldwide is the technology provider for the USAJOBS website and regrettably, some of the con-tact information captured came from USAJOBS job seekers. The information captured included name, address, telephone number, and email address. Monster Worldwide has assured the U.S. Office of Personnel Management that Social Security Numbers were NOT compromised because of IT security shields USAJOBS has in place.