Monster.com Breach (Again!): Evolution of a Disclosure Letter

When Monster.com suffered a data breach last year, two disclosure letters went out to customers — one from Monster itself and another from US AJOBS, a federal employment organization that relied on Monster.com databases for its job listings. Though they covered the same breach, each letter was starkly different.

Fast-forward to Jan. 23, 2009. The job search company has suffered another data breach and fired off a letter warning its customers. Comparing this letter to the last two shows Monster still trying to find the best way to tell people their trust — and private data — has been violated.

Last year, CSOonline.com asked a couple public relations specialists to review the Monster and US AJOBS letters and interpret the language of each. You can read both letters side by side along with the experts’ commentary in The Dos and Don’ts of Disclosure Letters. Naturally, we’ve decided to put the latest letter (available here on Monster’s site) under the microscope again.

The letter reviewer this time is Roger Nebel, director of strategic security for Washington D.C.-based FTI Consulting. Nebel’s specialty is going into companies that have suffered catastrophic breaches to do a post-mortem on how the incident was handled, from the technological controls and people policies to the structure of the disclosure letter.

In the big picture, he says the letter is adequate: Not bad, but could be better.

Before reading Nebel’s two cents, let’s compare each letter, where huge differences are evident from the opening lines.

Here’s the opening paragraph to Monster’s letter from last year’s breach:

“Protecting the job seekers who use our website is a top priority, and we value the trust you place in Monster. Regrettably, opportunistic criminals are increasingly using the Internet for illegitimate purposes. As is the case with many companies that maintain large databases of information, Monster is from time to time subject to attempts to illegally extract information from its database. As you may be aware, the Monster resume database was recently the target of malicious activity that involved the illegal downloading of information such as names, addresses, phone numbers, and email addresses for some of our job seekers with resumes posted on Monster sites. Monster responded to this specific incident by conducting a comprehensive review of internal processes and procedures, notified those job seekers that their contact records had been downloaded illegally, and shut down a rogue server that was hosting these records.”

Here’s the opening in US AJOBS’s letter regarding the same incident:

“Recently, malicious software, known as Infostealer.Monstres, was used to gain unauthorized access to the Monster.com resume database to steal the contact information of job seekers. Monster Worldwide is the technology provider for the USAJOBS website and regrettably, some of the con-tact information captured came from USAJOBS job seekers. The information captured included name, address, telephone number, and email address. Monster Worldwide has assured the U.S. Office of Personnel Management that Social Security Numbers were NOT compromised because of IT security shields USAJOBS has in place.

As the two PR specialists noted in last year’s comparison, styles immediately diverge. Monster chooses to soften the coming blow with its first sentence. US AJOBS simply begins stating facts.

Now for the opening to Monster’s latest letter, released last week:

“As is the case with many companies that maintain large databases of information, Monster is the target of illegal attempts to access and extract information from its database. We recently learned our database was illegally accessed and certain contact and account data were taken, including Monster user IDs and passwords, email addresses, names, phone numbers, and some basic demographic data. The information accessed does not include resumes. Monster does not generally collect — and the accessed information does not include – sensitive data such as social security numbers or personal financial data. Immediately upon learning about this, Monster initiated an investigation and took corrective steps. It is important to know the company continually monitors for any illicit use of information in our database, and so far, we have not detected the misuse of this information.”

Unlike the first letter, Monster dispenses with the soft approach and gets to the point. But there’s still plenty of qualifying language. First, the company goes out of its way from the opening words to point out that it’s not the only company to go through this kind of breach. Many mammoth companies with deep databases are in the crosshairs, it notes. Monster is also sure to cast itself as the victim, saying it is a “target” and that it has been “illegally accessed.”

Nebel says the latest letter is so-so: not great, but not terrible either.

“There are no details about how they were hacked, nor steps taken to prevent it again,” Nebel says. “While I don’t expect them to necessarily tell us gory details there should at least be some context, be it human error, a zero-day attack, vendor issue, etc.”

Nebel notes that this isn’t really a disclosure letter per se as defined by Statute or Regulations, but more a friendly customer relations letter because Monster is likely not compelled to issue this by any law or rule based on the nature of this particular incident.

Whatever the case may be, it’s clear that writing disclosure letters remains a tough task, as opinion will always vary on the necessary amount of detail and bedside manner. Industry experts do agree on one thing: Companies have to state clearly the steps taken to address the problem and protect customers who may have been affected.

To that end, Monster’s latest letter urges customers to take steps to protect themselves.

“In order to help assure the security of your information, you may soon be required to change your password upon logging onto the site. Please follow the instructions on the site. We would also recommend you proactively change your password yourself as an added precaution.”

For more on how companies (and consumers) should handle a disclosure, including an interative guide to all state laws, see CSOonline.com’s Complete Guide to Security Breach Disclosure.