aims to be a useful repository of information about regulatory action taken as a result of data breaches. It provides a comprehensive archive of of ICO
enforcement, helpful categorisation and occasional analysis. More …
ICO Data Protection Act Enforcement
ICO Privacy and Electronic Communications Regulations Enforcement
- News Group Newspapers
||Customers' personal data, some several years old.
||'Thousands' according to some press reports , a 'large amount' described in the undertaking and TechEye claimed 500,000.
||A server hosting part of The Sun newspaper's website had, unnoticed by the data controller, been repurposed several years earlier, and was subsequently compromised by a malicious attacker (Lulzsec). Further weaknesses had also been identified but remained unrectified prior to the attack.
||Undertaking to comply with the fifth and seventh data protection principles
||9 November 2011
||Along with the usual staff awareness and training, technical security controls on the web server were to be improved and implemented by 31 December 2011 (i.e. compliance with the seventh principle), and any customer data collected to be cleared regularly according to a defined retention and disposal policy (compliance with the fifth principle).
|This undertaking was not released until the criminal trial of the UK-based Lulzsec hackers was concluded. It is interesting that the ICO didn't see fit to consider a monetary penalty notice as the breach appears to meet the right criteria.
This undertaking should be contrasted with the Sony MPN that was also the result of Lulzsec's activities and it will be informative to see if the ICO's choice of an undertaking for the Sun is mentioned at Sony's appeal to the Information Tribunal. Less charitable commentators may view this soft approach to News Group Newspapers as another example of the Commissioner's fear of the UK press.
- There was a breach of the fifth and seventh principles.
- There had been a previous penetration test, so the Sun knew of the vulnerability.
- It seems that a significant volume of data was lost and then circulated on the Internet. Although it wasn't sensitive personal data, the volume of the data should be enough to pass the 'likely to cause distress' test especially given the data was posted to the Internet -- i.e. the breach of confidentiality happened, it was not something that might happen if the lost data were exposed.