Monster.com Breach (Again!): Evolution of a Disclosure Letter
Monster.com has been forced to disclose another data security breach. With each incident, the language and tone of the disclosure note has changed. Here's how, and what it means.
By Bill Brenner , Senior Editor
January 27, 2009 — CSO —
When Monster.com suffered a data breach last year, two disclosure letters went out to customers -- one from Monster itself and another from US AJOBS, a federal employment organization that relied on Monster.com databases for its job listings. Though they covered the same breach, each letter was starkly different.
Fast-forward to Jan. 23, 2009. The job search company has suffered another data breach and fired off a letter warning its customers. Comparing this letter to the last two shows Monster still trying to find the best way to tell people their trust -- and private data -- has been violated.
Last year, CSOonline.com asked a couple public relations specialists to review the Monster and US AJOBS letters and interpret the language of each. You can read both letters side by side along with the experts' commentary in The Dos and Don'ts of Disclosure Letters. Naturally, we've decided to put the latest letter (available here on Monster's site) under the microscope again.
The letter reviewer this time is Roger Nebel, director of strategic security for Washington D.C.-based FTI Consulting. Nebel's specialty is going into companies that have suffered catastrophic breaches to do a post-mortem on how the incident was handled, from the technological controls and people policies to the structure of the disclosure letter.
In the big picture, he says the letter is adequate: Not bad, but could be better.
Before reading Nebel's two cents, let's compare each letter, where huge differences are evident from the opening lines.
Here's the opening paragraph to Monster's letter from last year's breach:
"Protecting the job seekers who use our website is a top priority, and we value the trust you place in Monster. Regrettably, opportunistic criminals are increasingly using the Internet for illegitimate purposes. As is the case with many companies that maintain large databases of information, Monster is from time to time subject to attempts to illegally extract information from its database. As you may be aware, the Monster resume database was recently the target of malicious activity that involved the illegal downloading of information such as names, addresses, phone numbers, and email addresses for some of our job seekers with resumes posted on Monster sites. Monster responded to this specific incident by conducting a comprehensive review of internal processes and procedures, notified those job seekers that their contact records had been downloaded illegally, and shut down a rogue server that was hosting these records."
Here's the opening in US AJOBS's letter regarding the same incident: