« Is Security as a Service More Secure? | Main | What Worries CSOs Most »

More news keeps coming out about Monster.com's data hack, and the most questionable info is that Monster waited five days to release the news about their attack; waiting, in fact, until after Symantec had already released the info.

According to Yahoo News, some of the info coming to light about the attack (look for a podcast later this week with more details) is, 1.3 million people had their info stolen off of Monster, information which consisted of name, address, school, typical resume sort of stuff, and did not include any bank account info or such. The hackers, using two servers based in the Ukraine, used credentials stolen from its clients to gain access to Monster.

Monster first learned of the problem on August 17, when Symantec informed them they were under attack. "In terms of figuring out what the issue was, that was a relatively quick process. The other issue is you want to make sure exactly what you are dealing with," Patrick Manzo, vice president of compliance and fraud prevention for Monster told Yahoo.

Manzo's security team spent the weekend investigating the attack, locating the servers launching the attack and shut them down. The goal of the hackers was to enhance the information in a spear phishing campaign, which the hackers used to send out detailed emails pretending to be from Monster asking for personal information or try to get the recipients to click on a link that downloaded malware.

It wasn't until Wednesday, a day after Symantec released their report, that Monster posted a notice on their website, and here's what Monster now has to say. Also, a spokesperson stated that Monster posted letters to those targeted by the attack.

5 whole days, huh? Obviously, Monster.com was quite concerned about their reputation, and of understanding the full extent of the attack before they started dealing with the fallout. But one can't help but wonder that had they reported the attack quicker, how many less people would have been taken by the scam.

While reporting the news before you have all the information on the attack raises it's own red flags, I think the sooner the better. I mean, if hackers get better at covering their tracks with these types of attacks, who's to say a company won't then wait a month until they have all the info on the attack to warn people.

One thing is for sure, attack response, in terms of just the negative branding angle on a company's image, is becoming critical to response time. Perhaps companies need to start having a Chief Informing-the-Public-About-Who's-Doing-What-With-Their-Data Officer.

Posted by pschooff in |Digg This|Add to del.icio.us

Trackback Pings

TrackBack URL for this entry:
http://www.ebizq.net/mt/mt-tb.cgi/2263