The target: Monster.com, a popular job posting website service.
The take: Personal information of hundreds of job applicants dating between 2014 and 2017 including: resumes, phone numbers, email addresses, home addresses and work history.
The attack vector: A customer of Monster.com, a third-party recruitment company, misconfigured a publicly-accessible web server, leaving records exposed.
A firm’s security posture is only as good as its weakest link - sub-contractors and third parties with access to sensitive data are possible sources of data leakage and must be held to a firm’s own security standards.