A customer of Monster—an employment website—suffered a security breach, resulting in the exposure of a web server with résumés of job seekers; it is not known how many files the exposed server contained. Résumés and CVs spanned 2014 through 2017 and were comprised of PII such as email addresses, home addresses, and phone numbers.

 Monster did not proactively notify affected parties, and though the company did not have a legal obligation to do so, there is a precedent for third-party breach notification. Earlier this year, medical testing companies LabCorp and Quest Diagnostics faced a similar situation as third-party billing collections firm American Medical Collection Agency (AMCA) suffered a breach that exposed the personal information of nearly 20 million Americans—however, both companies warned their users of a third-party breach. In any case, it is important to make sure third-party service providers maintain proper cyber hygiene because your organization is only as strong as its weakest link.