Breach Watch aims to be a useful repository of information about regulatory action taken as a result of data breaches. It provides a comprehensive archive of of ICO and FSA enforcement, helpful categorisation and occasional analysis. More …

ICO Data Protection Act Enforcement

Monetary Penalties	Undertakings	Enforcement Notices
DM Design Bedrooms Nursing and Midwifery Council Sony Computer Entertainment Europe	News Group Newspapers The Burnett Practice East Riding of Yorkshire Council	Stoke-on-Trent City Council Southampton City Council Staffordshire County Council

ICO Privacy and Electronic Communications Regulations Enforcement

FSA Enforcement

Latest update

News Group Newspapers

Breach details

What	Customers' personal data, some several years old.
How much	'Thousands' according to some press reports , a 'large amount' described in the undertaking and TechEye claimed 500,000.
When	July 2011
Why	A server hosting part of The Sun newspaper's website had, unnoticed by the data controller, been repurposed several years earlier, and was subsequently compromised by a malicious attacker (Lulzsec). Further weaknesses had also been identified but remained unrectified prior to the attack.

BW Comments

It is surprising that a large organisation such as News Group Newspapers made such simple information security mistakes. Firstly in retaining data they no longer needed when they re-built a server for a new role, but more worryingly that they had previously had a penetration test but had not rectified the vulnerabilities identified by the tester.

Regulatory action

Regulator	ICO
Action	Undertaking to comply with the fifth and seventh data protection principles
When	9 November 2011
Details	Along with the usual staff awareness and training, technical security controls on the web server were to be improved and implemented by 31 December 2011 (i.e. compliance with the seventh principle), and any customer data collected to be cleared regularly according to a defined retention and disposal policy (compliance with the fifth principle).

BW Observations

This undertaking was not released until the criminal trial of the UK-based Lulzsec hackers was concluded. It is interesting that the ICO didn't see fit to consider a monetary penalty notice as the breach appears to meet the right criteria.
There was a breach of the fifth and seventh principles.

There had been a previous penetration test, so the Sun knew of the vulnerability.

It seems that a significant volume of data was lost and then circulated on the Internet. Although it wasn't sensitive personal data, the volume of the data should be enough to pass the 'likely to cause distress' test especially given the data was posted to the Internet -- i.e. the breach of confidentiality happened, it was not something that might happen if the lost data were exposed.
This undertaking should be contrasted with the Sony MPN that was also the result of Lulzsec's activities and it will be informative to see if the ICO's choice of an undertaking for the Sun is mentioned at Sony's appeal to the Information Tribunal. Less charitable commentators may view this soft approach to News Group Newspapers as another example of the Commissioner's fear of the UK press.

Links

View PDF of the News Group Newspapers Undertaking (Breach Watch Archive)

View PDF of the News Group Newspapers Undertaking (Via ICO Website)

FSA (7)	£ 7,777,000
ICO DPA (34)	£ 3,781,000
ICO PECR (3)	£ 530,000

Breach Watch

Data breaches and regulatory activities

Data Breaches and Regulatory Activities