The venerable owner of the Wall Street Journal, Dow Jones, has notified customers of a breach that may have affected thousands.
Hackers gained unauthorized access and manipulated a subscription system to steal personal contact information, and were able to remain inside Dow Jones from August 2012 until at least July 2015.
In a letter to customers on Friday, Dow Jones Chief Executive William Lewis said that data from 3,500 individuals “could have been accessed, although we have discovered no direct evidence that information was stolen.” The breach also was “likely part of a broader campaign involving a number of other victim companies.”
He added, “It appears that the focus was to obtain contact information such as names, addresses, email addresses and phone numbers of current and former subscribers in order to send fraudulent solicitations.”
Ken Westin, senior security analyst with Tripwire, noted that when it comes to personal information, the initial breach is just the beginning of a long-con which can play out over months or years with the goal of robbing individuals of large sums of money.
“Fraud fuels data breaches; the number of large data breaches we see every day proves the link between these two crimes,” he said via email. “The rise of underground markets where hackers and fraudsters engage in commerce with one another has created a black market economy that generates demand for our personal information. The power of the Internet continues to strengthen the links between these two types of crimes, allowing both to become more lucrative.”
Dow Jones, unit of News Corp. and owner of MarketWatch and Barron’s in addition to the WSJ, is a particularly hot target for cybercrime and fraud because its customers are more likely to be more wealthy.
The company is the latest in a string of high-profile data breach victims, from Ashley Madison to Target.
“The Dow Jones breach exposed yet another loss of consumer information, and the response will likely be a shrug after so much prior loss,” said Michael Daly, CTO of Raytheon’s cybersecurity business, via email. “But, when everything is connected, everything is vulnerable, and we must not become complacent about such breaches. Today’s threats can be extremely sophisticated and it’s not about the number of attacks that come your way or even the number that get through. Instead, what matters is the attacker that stays on your network undetected and is able to send back data or cause damage.”