UK companies must heed Sun hack warning, say security experts

Security experts say UK companies must heed The Sun newspaper's warning that thousands of readers who entered online competitions may have had their personal data compromised by hackers.

Security experts say UK companies must heed The Sun newspaper's warning that thousands of readers who entered online competitions may have had their personal data compromised by hackers.

The paper said the data may have been stolen when The Sun's website was hacked on 19 July by the LulzSec hacktivist gang, which posted a bogus story announcing the death of Rupert Murdoch.

The stolen data is believed to include names, postal addresses, telephone numbers, dates of birth and e-mail addresses of online competition entrants and Miss Scotland beauty contest entrants.

Some of the details, including applications for the Miss Scotland contest, have been posted on the document-sharing site Pastebin, according to the BBC.

"The stolen information can be used to target innocent individuals. For instance, a scammer could e-mail a beauty contest applicant, trick them into believing that it is the newspaper contacting them, and attempt to steal money or further information," said Graham Cluley, senior technology consultant at Sophos.

Information security a top priority

Large-scale, high-profile data breaches continue to hit the headlines and companies really need to take heed and consider the security of the information they store on their systems, he said.

"Questions will inevitably be asked as to why the sensitive information about readers and competition entrants wasn't safely stored using strong encryption," said Cluley.

Mark James, technical manager at security firm ESET UK, said the

general faith and trust of any data submitted online has been severely compromised recently.

"There is potentially more than one billion terabytes of data stored globally, a huge amount of which is saved on insecure low-cost servers and hardware, so it is no real surprise that another database has been hacked and data has been removed and pasted on the internet," he said.

As always in this situation it is paramount that passwords are changed regularly and that the same password is never used for all online accounts, he said.

News International, the parent company of The Sun's publisher News Group, said in a statement: "We take customer data extremely seriously and are working with the relevant authorities to resolve this matter. We are directly contacting customers affected by this."

Tighten up security policies

Organisations that carry out payment transactions should adhere to the PCI DSS compliance guidelines and these should act as a supplement to good practice in-house security policies and processes, said Ash Patel, country manager for UK and Ireland at security firm Stonesoft.

"It is very important to educate staff on internet safety because ultimately the responsibility of security lies with the company and a breach can cause serious reputational damage," he said.

If a company does not have the staffing resources at times of cutbacks to adopt and maintain a comprehensive security system, it should deploy security solutions that can be comprehensively centrally managed and updated to protect against new threats as they emerge, Patel added.

Liz Fitzsimons, senior associate at international law firm Eversheds, said organisations in possession of personal data need to be vigilant to guard against such attacks and to minimise their impact and must deal with such attacks and their consequences as quickly as possible.

"Risks can be reduced by limiting the amount of personal data retained and regularly reviewing and improving security to ensure its adequacy," she added.

Fitzsimons said increased hacking activity adds weight to the argument that prison sentences should be seriously considered as a punishment for data theft.

The Information Commissioner's Office is campaigning to get UK lawmakers to introduce jail terms for anyone found guilty of using stolen personal information.

Information commissioner Christopher Graham, who has been pushing custodial sentences since taking office in 2009, believes that the idea of sending journalists to jail for using stolen data may find more support following the News of the World phone and computer hacking scandal.

Read more on IT risk management