Guardian Jobs website hack may have been an SQL injection and not a 'sophisticated' attack

News by Dan Raywood

An SQL injection may have been the cause of the hacking of the Guardian's Jobs website last week.

An SQL injection may have been the cause of the hacking of the Guardian's Jobs website last week.

Amichai Shulman, Imperva's chief technology officer, said that the most eye-catching feature of the site hack is the use of the phrase 'sophisticated and deliberate attack'.

Shulman said: “Our experience shows that 'sophisticated attack' is usually a pseudonym for 'SQL injection', although I must admit that an initial glimpse into the site hints that it may actually be a more sophisticated hack than the usual. At the end of the day, however, I don't think that it's much more than SQL injection, sophisticated or otherwise.”

In an email to registered users, the Guardian said that it had learned of a 'sophisticated and deliberate hack, which has breached the security of the data on the site', and warned that personal data may have been accessed.

It said: “We are absolutely committed to the privacy of our users, and would like to assure you that we are treating this situation with the utmost seriousness. The matter has been reported to the police, who are now undertaking a full investigation through the police central e-crime unit at New Scotland Yard.

“The supplier who runs the site has identified the manner in which it was hacked and taken steps to prevent a recurrence. We have no reason to believe that any financial or bank data was compromised in this incident. However the police advise that those whose personal data may have been stolen in this way should take a number of precautionary measures.”

A Guardian spokesperson said: "We have seen the various comments speculating on the nature of the security breach to the Guardian Jobs site. As we have made clear the matter is currently under police investigation and we cannot comment further at this stage, as to do so, may prejudice the ongoing inquiry. Anything else is purely speculation.”

Shulman believed that if it were a Trojan-based attack then they would have stated it by now and used a different wording, such as 'hackers who managed to break into the Guardian network'. However this seems unlikely, as if an SQL injection attack was to blame for the Guardian site hack, then tagging it as 'sophisticated' might be a bit misleading, though not uncommon.

Shulman said: “The only positive thing one can say is that the Guardian is not itself to blame, as the BBC news report on the incident refers to a third party company supplying the service. This is small comfort to site users, however, who will now be worried about identity theft issues.”

Sarah Blaney, ID theft expert from CPP, said: “Whilst the Guardian's assurance that users' financial or banking details have not been compromised in this hack, the fact that sensitive personal information has been exposed is very concerning and highlights how easily identity fraudsters can target public websites.

“These days, all a fraudster needs is a name, address and a date of birth to steal an identity – which many will have on their CVs. We urge all of those affected to alert their banks immediately, and to monitor their accounts carefully. Preventative methods such as protective registration, monitoring online credit reports, and using a credit alert report, will also help safeguard against fraud.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews