Sun website hack: ICO investigates whilst News International apologises

A hacker calling himself Batteye has claimed that the names, birth dates, addresses and other data posted on the Pastebin portal over the last few days was drawn from the July 19 hack of the Sun's servers.

According to newswire reports, the customer data includes a referendum poll list, a Wrigleys gum football competition, a Monarch airlines competition and Royal Wedding well-wisher's list.

In a letter sent out to Sun readers who are potentially on these lists, News International executive Chris Duncan said that data from a number of Sun competitions and polls was breached during a hacker attack.

"We are contacting you because we believe that information that you submitted to us could have been accessed, and may be published online by the group responsible", said the letter.

Infosecurity understands that News International is working with the Information Commissioner's Office, which is investigating the fall-out from the data breach.

Commenting on the hack, Graham Cluley, Sophos' senior technology consultant, said that cybercriminals will be rubbing their hands in glee at getting hold of data such as names, email addresses, dates of birth and phone numbers.

"The stolen information can be used to target innocent individuals. For instance, a scammer could email a beauty contest applicant, trick them into believing that it was the newspaper contacting them and attempt to steal money or further information", he said in his latest security posting.

"Large scale, high profile data breaches continue to hit the headlines and companies really need to take heed about what's going on, and consider the security of the information they store on their systems", he added.

Cluley went on to say that questions will inevitably be asked to why the sensitive information about readers and competition entrants wasn't safely stored using strong encryption."

Ash Patel, Stonesoft's country manager for the UK & Ireland, said that, for him, the worst thing about this hack is the fact that the hackers managed to get away with home addresses as this could have terrible consequences for those involved.

"The Sun is using the fact that the attackers haven't managed to get away with any financial data as some sort of reassurance but I really don’t think that makes much of a difference", he said.

"Hackers have obtained dates of birth and email addresses and they could now use this information to target victims with phishing emails. They could then obtain such things as bank details by persuading them to open a malicious attachment which may then install malware or trojans on to their PC", he added.

Patel went on to say that organisations that carry out payment transactions should adhere to the PCI DSS compliance guidelines and these should act as a supplement to good practice in-house security policies and processes.

It is, he explained, very important to educate staff on Internet safety because ultimately the responsibility of security lies with the company and a breach can cause serious reputational damage.

What’s Hot on Infosecurity Magazine?