The newly disclosed data theft occurred on the USAJobs.gov website, a site run by Monster on behalf of the U.S. government, which has approximately 2 million total users.
According to Peter Graves, a spokesman for the U.S. Office of Personnel Management, the government has temporarily restricted recruiters from accessing the USAJobs.gov database until Monster has completed work on secure its system
“We disabled it yesterday as an extra precaution on our part to best protect our users,” Graves said Thursday, according to the Reuters. Graves said that the government expected to restore access to the recruiters today.
Graves said that while the stolen information included names, postal addresses, phone numbers and email addresses, Social Security numbers, which are stored in encrypted form, were not compromised.
According to Graves, the government first became suspicious that something was amiss on July 20, when a subscriber to the site submitted what appeared to be a fraudulent email. Officials with the Office of Personnel Management immediately passed the information to Monster and posted a notice on the USAJobs site warning users to be on the lookout for fraudulent emails claiming to be related to the site.
The exploit wasn’t acknowledged publicly until researchers from security software vendor Symantec identified the Trojan, dubbed Infostealer.Monstres, on Aug. 16.
Graves said it wasn’t until Wednesday that Monster told his agency how much data had been stolen from USAJobs.gov.
“We didn’t know the extent,” Graves said. “We learned the extent yesterday.”
The government acted on the notification from Monster by posting a follow up notice on the site warning users that they might be victims of a phishing scam and contacting users individually via email, starting with the 146,000 people whose information had been compromised, Graves said.