|Customers’ personal data, some several years old.
|‘Thousands’ according to some press reports , a ‘large amount’ described in the undertaking and TechEye claimed 500,000.
|A server hosting part of The Sun newspaper’s website had, unnoticed by the data controller, been repurposed several years earlier, and was subsequently compromised by a malicious attacker (Lulzsec). Further weaknesses had also been identified but remained unrectified prior to the attack.
|It is surprising that a large organisation such as News Group Newspapers made such simple information security mistakes. Firstly in retaining data they no longer needed when they re-built a server for a new role, but more worryingly that they had previously had a penetration test but had not rectified the vulnerabilities identified by the tester.
|Undertaking to comply with the fifth and seventh data protection principles
|9 November 2011
|Along with the usual staff awareness and training, technical security controls on the web server were to be improved and implemented by 31 December 2011 (i.e. compliance with the seventh principle), and any customer data collected to be cleared regularly according to a defined retention and disposal policy (compliance with the fifth principle).
|This undertaking was not released until the criminal trial of the UK-based Lulzsec hackers was concluded. It is interesting that the ICO didn’t see fit to consider a monetary penalty notice as the breach appears to meet the right criteria.
This undertaking should be contrasted with the Sony MPN that was also the result of Lulzsec’s activities and it will be informative to see if the ICO’s choice of an undertaking for the Sun is mentioned at Sony’s appeal to the Information Tribunal. Less charitable commentators may view this soft approach to News Group Newspapers as another example of the Commissioner’s fear of the UK press.
|View PDF of the News Group Newspapers Undertaking (Breach Watch Archive)
|View PDF of the News Group Newspapers Undertaking (Via ICO Website)