To print: Click here or Select File and then Print from your browser's menu

This story was printed from silicon.com, located at http://www.silicon.com/

Story URL: http://software.silicon.com/security/0,39024655,39168327,00.htm

Monster data theft infected gov jobs site
Another 146,000 affected...

By Reuters

Published: Monday 03 September 2007

About 146,000 people using a US government jobs website had their personal information stolen by hackers who broke into computers at Monster Worldwide, a US government spokesman said.

The theft on the USAjobs.gov site, which has about two million users, was part of a hacking operation apparently run out of Ukraine that Monster disclosed last week, said a spokesman for the US Office of Personnel Management.

Monster runs the site on behalf of the government.

Last week, the government temporarily restricted recruiters from accessing the database until Monster completes efforts to ensure its computer system is secure, the spokesman said.

silicon.com's Full Disclosure campaign - what we are asking for...

silicon.com wants the government to review its data protection legislation and improve the reporting of information security breaches in the public and private sectors.

We are calling for greater public debate and for the government to consider legislation that would require organisations that suffer information security breaches to alert their customers if there is a chance the breach has put individuals' sensitive personal data at risk.

We want to hear your views about this campaign and the issues it raises. Make your voice heard by leaving a Reader Comment below, emailing us at editorial@silicon.com or signing the 10 Downing Street e-petition.

He said it was disabled "as an extra precaution on our part to best protect our users".

The information stolen from the USAjobs.gov database included names, postal addresses, phone numbers and email addresses. Social Security numbers, which are encrypted in the database, were not compromised, the spokesman said.

The government found out the site had been compromised on 20 July, when a subscriber submitted what appeared to be a fraudulent email, he said.

Officials with the US agency immediately passed the information on to Monster, the government spokesman added.

That appeared to differ from an earlier statement from Monster. Its chief executive Sal Iannuzzi said last week that the company hadn't learned its systems might have been compromised until 18 August, when researchers with security company Symantec notified it of the matter.

Officials with Monster could not be reached for comment.

A Symantec response team in Austin, Texas, had found that the hackers had managed to get unsuspecting PC users to download malicious software on to their computers so that the culprits could gain control of their PCs.

Those PCs were then used them to access Monster's site using stolen credentials of job recruiters. The malicious software then sent the information to a second server in Ukraine, which Monster said was shut down on about 23 August.

It was not till mid last week that Monster notified the US jobs agency how much data had been stolen from the USAjobs database, the spokesman said.

The government followed up by posting a notice on the jobs site warning users that they might be victims of phishing attempts, and also contacted users individually via email, he added.