Patrick Manzo, vice president of compliance and fraud prevention at the New York-based firm, told the Reuters news agency yesterday that the company first learned of the hacking attack on 17 August, when security experts at Symantec told them of the data breach.
Monster.com subsequently posted an advisory notice on its website on 22 August to inform customers of the incident.
Researchers at the security vendor detected the Trojan, called Infostealer.Monstres, which accessed over 1.6 million entries of personal information belonging to several hundred thousand people, mainly based in the US, from the online recruitment site.
Monster.com has also revealed that it has shut down the server that was used to store the compromised information. The company traced the fraudulent servers used in the attack back to the Ukraine and they were closed down on Monday.
The hackers stole personal data including names, email addresses, home addresses and telephone numbers, in the assault which were then uploaded to the server.
The online recruitment company also said that it has started to contact all of the users whose personal data was taken during the attack.
Calum Macleod, European director for Cyber-Ark, believes things could get worse for Monster.com, as the hackers could use the personal details to commit identity theft crimes, which could lead to lawsuits against the company.
“By encrypting the details, even if the attackers succeeded in downloading the files, the fact they were protected would render the data unreadable and therefore unusable,” he said.
Monster.com waited days before informing users of breach
By Fiona Raisbeck on Aug 27, 2007 10:36AM