The Sun is warning thousands of readers who entered internet competitions their personal details may have been stolen in the hacking attack on 19 July.
An email to readers last night said no financial or password information was compromised but name, address, email, date of birth and phone numbers might have been.
Lulzsec and Anonymous claimed responsibility for the July attack, which redirected visitors to a hoax story about Rupert Murdoch’s death.
His Twitter account tweeted: “I’m not really with Anonymous, but then again I sort of am, aren’t I?”
The data purports to include people who registered as having been bullied at school and applicants for the Miss Scotland competition.
Chris Duncan, director of customer management at News International wrote to readers saying it regretted the incident and was working with the Information Commissioner and police to retrieve the data.
He also advised people to be wary of contact from unknown third parties.
“On the 19 July The Sun website was subject to an organised criminal attack,” he wrote. “We are contacting you because we believe that information that you submitted to us could have been accessed, and may be published online by the group responsible.”
The denials from ‘Batteye’ seem to run counter to the events surrounding the July attack.
When the original attack eventually crashed the website hosting the spoof Murdoch story, visitors were then taken to Lulzsec’s Twitter feed.
Here, they were greeted by the message: “TheSun.co.uk now redirects to our Twitter feed. Hello, everyone that wanted to visit The Sun! How is your day? Good? Good!”
Lulzsec and Anonymous boasted about the attack and days later claimed to be negotiating with national media outlets about releasing stolen data.
Jake Davis, 18 and from the Shetland Isles, was arrested last week and charged in connection with hacking attacks against SOCA and News international, each claimed by Lulzsec.
He is alleged by authorities to be Topiary, the Lulzsec spokesman interviewed in the media and responsible for the group’s Twitter feed. He was released on bail yesterday to return to court on 30 August.
Lulzsec said it had disbanded the ‘Lulz boat’ and sailed off into the sunset on 26 June but resurfaced for The Sun hack, unable to resist sticking its oar into the phone hacking scandal engulfing News International.
Lulzsec’s Twitter feed, its platform for announcing attacks and taunting victims, has been quiet since 27 July.
Undersea internet and power cable in Baltic sea between Finland and Estonia suffers outage. Finland…
The Biden Administration has launched a last-minute investigation into older Chinese-made legacy semiconductors - weeks…
State media reports the Iranian regime has lifted the ban on WhatsApp and Google Play,…
Landmark ruling finds NSO Group liable on hacking charges in US federal court, after Pegasus…
Microsoft reportedly adding internal and third-party AI models to enterprise 365 Copilot offering as it…
Albania to ban access to TikTok for one year after schoolboy stabbed to death, as…
View Comments
Comment by email from David Harley, senior research fellow at security firm ESET:
“There may have been no financial data to steal, but there seems to have been enough to give so-inclined bad guys a start on password guessing or even ID theft: however, the same data is available from many other sources. Customers probably can’t do much about the data that has been exposed, but they can at least ensure that their passwords aren’t directly related to the kind of data that may be (more) available to criminals. Since LulzSec seems to be carrying out an ongoing campaign against the Sun, and stealing customer data has been one of the group’s regular activities, it’s obviously possible that they carried out this particular attack, as some are assuming.”
Aziz Maakaroun, managing partner at Outpost24 UK, made the following comments by email:
“It is a terrible shame that innocent users have fallen victim to what initially purported to be a politically motivated attack on the website of The Sun. This goes to show that attacks that may appear to be a simple defacement ‘for the lulz’, or to make a point regarding lax security, often have much more serious consequences.
“There has been a recent surge in successful attacks on celebrity websites and larger businesses and organisations. All of this points to one thing – web security just isn’t being taken seriously enough.
“Organisations and individuals running websites must heighten their awareness of online threats and make good their defences by ensuring that they have the latest products and that they are regularly updated. If they do not, they risk humiliating data breaches, defacements, fines and angry customers demanding to know if their details are among those stolen. News International has been dragged through the mire recently, and this admission will not help wash off the accumulated dirt that is sticking to their tarnished brand.”
It is not only threat awareness and defense that are important, but to maintain user trust, if something does occur, quickly inform the users what has happened and what steps the firm is taking to address the issue. Two industry examples of data privacy trust recovery are the Sony Playstation Network and the many firms who used Epsilon for direct marketing services when Epsilon was hacked.