News International has suffered a fresh setback as it has been forced to contact readers regarding a potential data breach.
Chris Duncan, director of customer management at News Group Newspapers (NGN), publisher of The Sun and formerly of the News of the World, admitted that the attack on July 19th also caused some customer information from competitions and polls to be breached.
In that instance, the Sun homepage redirected to a page that claimed that News Corporation founder Rupert Murdoch had died. It has been alleged that Jake Davies, who police arrested last week and is believed to be LulzSec member ‘Topiary', had been responsible for that attack.
Duncan said that data that may have been breached could include names, addresses, dates of birth, email addresses and phone numbers, although no financial or password information was compromised.
He said: “We are working closely with the Police and the Information Commissioner's Office to ensure that all steps are taken to retrieve the files involved. We regret that we've not been able to stop this incident from happening.”
A statement appeared on Pastebin from someone calling themselves ‘Batteye' who said that various files obtained from The Sun will be presented.
He said: “We will continue by exposing the world for what it is; a less than perfect place where we cannot trust those who we ask to protect our information. We will continue, until the list has been exhausted, or until the world and man kind realises that we must change how we go on.”
Stewart Room, partner at legal firm Field Fisher Waterhouse, told SC Magazine that despite the details of the breach being sketchy, the preliminary lessons for businesses are already very clear.
He said: “First, if this loss is connected to the LulzSec redirection of The Sun homepage, then it's perilous for businesses to dismiss the ‘hacktivist' community as mere script kiddies. Quite simply, this community seems to be able to harness incredible power to cause significant business interruption.
“Secondly we are reminded that as a matter of law, a business can be held liable for personal data breaches which are the results of cyber attacks if they do not put in place adequate measures to prevent data loss.
“Thirdly and perhaps most importantly, this case reminds us that we do not properly understand the full dynamics of cyber threats. In other words, we are still feeling our way through a massively complex area.
“How the lawmakers will respond from here is anyone's guess, although we are witnessing a cycle of high profile arrests, which suggests that the law enforcement community is actively engaged.”