This undertaking was not released until the criminal trial of the UK-based Lulzsec hackers was concluded. It is interesting that the ICO didn’t see fit to consider a monetary penalty notice as the breach appears to meet the right criteria.
- There was a breach of the fifth and seventh principles.
- There had been a previous penetration test, so the Sun knew of the vulnerability.
- It seems that a significant volume of data was lost and then circulated on the Internet. Although it wasn’t sensitive personal data, the volume of the data should be enough to pass the ‘likely to cause distress’ test especially given the data was posted to the Internet — i.e. the breach of confidentiality happened, it was not something that might happen if the lost data were exposed.
This undertaking should be contrasted with the Sony MPN that was also the result of Lulzsec’s activities and it will be informative to see if the ICO’s choice of an undertaking for the Sun is mentioned at Sony’s appeal to the Information Tribunal. Less charitable commentators may view this soft approach to News Group Newspapers as another example of the Commissioner’s fear of the UK press.
|