A customer of Monster—an employment website—suffered a security breach, resulting in the exposure of a web server with résumés of job seekers; it is not known how many files the exposed server contained. Résumés and CVs spanned 2014 through 2017 and were comprised of PII such as email addresses, home addresses, and phone numbers.
Monster did not proactively notify affected parties, and though the company did not have a legal obligation to do so, there is a precedent for third-party breach notification. Earlier this year, medical testing companies LabCorp and Quest Diagnostics faced a similar situation as third-party billing collections firm American Medical Collection Agency (AMCA) suffered a breach that exposed the personal information of nearly 20 million Americans—however, both companies warned their users of a third-party breach. In any case, it is important to make sure third-party service providers maintain proper cyber hygiene because your organization is only as strong as its weakest link.
“Customers that purchase access to Monster’s data — candidate résumés and CVs — become the owners of the data and are responsible for maintaining its security,” the company said. “Because customers are the owners of this data, they are solely responsible for notifications to affected parties in the event of a breach of a customer’s database.” Under local data breach notification laws, companies are obliged to inform state attorneys general where large numbers of users in their states are affected. Although Monster is not duty bound to disclose the exposure to regulators, some companies proactively warn their users even when third parties are involved.