New Incidents Spotlight Risk Concerns for Job Applicants & C-Suite Execs

The latest round of cybersecurity headlines focuses on a breach that allowed hackers to gain access to Monster.com resumes and a payment fraud scheme that cost a Belgium-based Toyota subsidiary tens of millions of dollars. 

An exposed web server, including files from Monster, the job posting site, contained résumés and for mostly U.S. job applicants from 2014 to 2017. Many of the records included information such as phone numbers, home and email addresses, and individuals’ previous work history. Other files contained immigration work documentation.

According to TechCrunch, which reported the breach, the number of exposed files is unknown, but a single folder dated May 2017 contained thousands of resumes. A company statement did not name the recruitment customer: “The Monster Security Team was made aware of a possible exposure and notified the recruitment company of the issue.” 

In response to the Monster résumé exposure, Peter Goldstein, chief technology officer and co-founder of San Francisco-based Valimail commented: “In today’s era of growing privacy regulations, how companies react in the wake of a data breach is critical.” 

Goldstein acknowledged regulations might not require Monster to notify regulators in this specific situation, but best practices (and in some cases GDPR regulations) dictate companies notify customers impacted by a breach. “The exposed resumes give cybercriminals more than enough data to commit phishing attacks and effective impersonation attempts, which can lead to account takeover, identity theft and other scams. And the fact that criminals know these individuals are on the job hunt means their social engineering attacks can be highly tailored and therefore all the more convincing to their victims,” he said. 

Anurag Kahol, CTO, of Campbell, Calif.-based cloud access security broker Bitglass, echoed that concern. “Companies are responsible for protecting the data that they collect from customers; as such, they must maintain tight security controls,” he said. 

Kahol added that while Monster was aware of this exposure, the company failed to warn the victims, leaving them vulnerable to future fraud, such as highly targeted phishing attacks. “As CCPA (The California Consumer Privacy Act) and other privacy mandates continue to go into effect, organizations must make use of flexible security platforms that proactively detect and respond to new threats, enforce real-time access control, encrypt sensitive data at rest, control the external sharing of data, and prevent the leakage of personally identifiable information,” Kahol said. 

George Wrenn, CEO and founder of Burlington, Mass.-based CyberSaint Security said, “Managing third-party vendors has become a leading concern for all businesses, especially internet-based companies. Given that organizations are implementing more and more third-party technologies, these purchases often outpace the level of assessment that is necessary to gauge a vendor’s cybersecurity posture.”

Wrenn noted businesses must seek out solutions that streamline and integrate vendor risk alongside their internal assessments of cybersecurity risk and compliance. “(Chief information security officers) need to look holistically at cyber risk management and view vendor risk as paramount to their risk posture as their own internal cybersecurity practices,” Wren said. 

In another incident, a subsidiary of the Toyota Boshoku Corp. in Zavantem, Belgium, a manufacturer of car parts and part of the Toyota Group, lost an estimated 4 billion yen (about 34 million euros and $37.5 million dollars) last month due to CEO fraud. According to Toyota Boshoku, the yet unnamed subsidiary received fraudulent payment orders from a “malicious third party.” Further details about the case were unavailable, but the manufacturer stated it is trying to retrieve the lost money. 

This incident follows a prior security breach of multiple Toyota and Lexus sales subsidiaries in March 2019 that affected about 3.1 million customers and a cyberattack of Australian Toyota dealers in February 2019 that led to the shutdown of its corporate IT systems.

“It is clear as daylight that this was a combination of spear phishing, social engineering and employees answering to email from bad guys that spoofed the email. Something that could have easily been prevented by new-school security awareness training,” Stu Sjouwerman, founder and CEO of Tampa Bay, Fla.-based KnowBe4, said.

Tom Garrubba, vice president and chief information security officer, at Santa Fe, N.M.-based Shared Assessments, explained, “The information to lean on is very thin at this time, but per their statement (‘involving fraudulent payment directions from a malicious third party that has resulted in a financial loss at our European subsidiary) I don’t believe this would have been a single massive payment heist that occurred, but rather numerous and continuous phishing email stream requiring payment to a either a central location or several small facilities.”

According to Colin Bastable, CEO of Lucy Security: “This is the third acknowledged attack on Toyota this year. Once is happenstance, twice is co-incidence but three attacks looks like enemy action.” Bastable added, “It’s reasonable to assume that Toyota’s global infrastructure has been compromised to some extent. There is a multiplier effect at work with successful hacks – each one opens up numerous new opportunities to steal money, IP, data or identities.”

Bastable pointed out that BEC attacks, such as ransomware attacks, take planning and patience. The hackers from the earlier attacks were probably able to steal the email account credentials of C-Suite execs in order to carry out the fraud. “For hackers, successful attacks are the gifts that keep on giving, especially where third parties are involved, because cybersecurity is diluted for every related entity. With the vertically- and horizontally-integrated Japanese manufacturing model, it is hard to know where the vulnerabilities stop,” Bastable said. 

Of note, quarterly impostor email attacks aimed at financial services organizations increased more than 60% year-over-year for the fourth quarter of 2018 according to Sunnyvale, Calif.-based Proofpoint.