From The Times
January 27, 2009 Hackers steal details of 4.5 million in attack on Monster jobs site
The monster.co.uk logo
About four out of ten people use the same password to access multiple websites. This article is the subject of a legal complaint
The personal details of millions of job seekers have been stolen in the largest data theft in Britain, The Times has learned.
Hackers gained access to confidential details provided by 4.5 million people to Monster.co.uk, the online recruitment site. Names, passwords, telephone numbers, e-mail addresses, birth dates, sex and ethnicity data as well as other “demographic information”, were all stolen, the company admitted yesterday.
It is the most extensive breach of confidential data since HM Revenue and Customs lost the details of 25 million child benefit recipients in 2007.
The victims are mainly professional staff who are seeking work in the economic downturn. Registrations at the site, which allows employers to browse thousands of CVs online, have soared as redundancies have risen. Monster.com refused to comment on how much information had been taken but The Times understands that the personal details of millions of people can be downloaded in under an hour once a hacker has gained access.
Security analysts told The Times that the plundered data from the recruitment site would be used by organised gangs to open fake bank accounts or take out loans in the names of unsuspecting customers.
Monster.co.uk has posted a message on the site advising all customers to change their passwords immediately. “It’s a horrendous breach,” said Graham Cluley, of Sophos, an IT security firm. “The information they have can be used to cause all kinds of mischief.”
About four out of ten people use the same password to access multiple websites, Mr Cluley said, meaning that criminals could use the Monster.co.uk data to obtain far more sensitive information. “These hackers could now use the passwords to access e-mail and online bank accounts.”
Police on both sides of the Atlantic are expected to investigate the breach. The Serious Organised Crime Agency said it was aware of the situation but refused to confirm if it was investigating the website.
Companies that advertise with Monster.co.uk, the British arm of the American-based global website, expressed outrage yesterday.
A spokesman for Britannia Building Society, which advertises vacancies on the site, said: “We will be seeking assurances from them about the credibility and reliability of the site, as we take the security of personal information of potential applicants very seriously.”
The Information Commissioner’s Office (ICO), the privacy watchdog, said last night that it would look into the breach.
“The ICO does not hesitate to investigate the most serious cases where sensitive details or large collections of personal information fall into the wrong hands,” a spokesman said.
It is the third time in two years that security at the world’s largest recruitment site has been breached. In August 2007 Monster.com’s data-base was infected by a virus called infostealer.monstres, which siphoned off more than 1.6 million records, mostly of customers based in the US.
A Russian gang called Phreak was said to be responsible. It was found to be selling “identity harvesting services” to fraudsters, charging £300 for data.
Yesterday Monster.com said the stolen data did not contain details of CVs or financial information. “We are taking appropriate law enforcement action,” a spokeswoman said. Hackers steal details of 4.5 million in attack on Monster jobs site - Times Online