In relation to the news that The Sun website has been hacked and personal customer details may have been exposed to hackers, David Harley, senior research fellow at ESET, and Mark James, technical manager at ESET, have the following comments:
David Harley, senior research fellow at ESET: “There may have been no financial data to steal, but there seems to have been enough to give so-inclined bad guys a start on password guessing or even ID theft: however, the same data is available from many other sources. Customers probably can’t do much about the data that has been exposed, but they can at least ensure that their passwords aren’t directly related to the kind of data that may be (more) available to criminals. Since LulzSec seems to be carrying out an ongoing campaign against the Sun, and stealing customer data has been one of the group’s regular activities, it’s obviously possible that they carried out this particular attack, as some are assuming.”
Mark James, technical manager at ESET UK: “I think the general faith and trust of any online submitted data has been severely compromised recently. There is potentially over 1 billion terabytes (1 zettabyte) of data stored globally and a huge amount of this is being saved on insecure "lowest cost" servers and hardware so it is no real surprise that another database has been hacked and data has been removed and pasted on the internet. The problem with this type of breach is the potential to use such data for fraud or malice, as usual in this situation it is paramount that passwords are changed regularly and never use the same password for all your internet activity, work out a good (and well remembered) procedure to use different types of passwords for each login on the web. It is also a good idea to think about the username you use, if you have to, use your email address then use a few different ones if possible. Email addresses these days are fairly easy to come by and even just having 2 or 3 different ones will help.”
Ash Patel, country manager for UK & Ireland at Stonesoft has the following comments: “For me, the worst thing about this hack is the fact that the hackers managed to get away with home addresses as this could have terrible consequences for those involved.”
“The Sun is using the fact that the attackers haven’t managed to get away with any financial data as some sort of reassurance but I really don’t think that makes much of a difference. Hackers have obtained dates of birth and email addresses and they could now use this information to target victims with phishing emails. They could then obtain such things as bank details by persuading them to open a malicious attachment which may then install malware or Trojans on to their PC.”
"Organisations that carry out payment transactions should adhere to the PCI DSS Compliance guidelines and these should act as a supplement to good practice in-house security policies and processes. It is very important to educate staff on Internet safety because ultimately the responsibility of security lies with the company and a breach can cause serious reputational damage.”
“If a company finds it doesn’t have the staffing resources at times of cutbacks to adopt and maintain a comprehensive security system/practice they should deploy security solutions which can be comprehensively centrally managed and updated to protect against new threats as they emerge.”
Aziz Maakaroun, managing partner at Outpost24 UK, made the following comments: “It is a terrible shame that innocent users have fallen victim to what initially purported to be a politically motivated attack on the website of The Sun. This goes to show that attacks that may appear to be a simple defacement ‘for the lulz’, or to make a point regarding lax security, often have much more serious consequences.
“There has been a recent surge in successful attacks on celebrity websites and larger businesses and organisations. All of this points to one thing – web security just isn’t being taken seriously enough.
“Organisations and individuals running websites must heighten their awareness of online threats and make good their defences by ensuring that they have the latest products and that they are regularly updated. If they do not, they risk humiliating data breaches, defacements, fines and angry customers demanding to know if their details are among those stolen. News International has been dragged through the mire recently, and this admission will not help wash off the accumulated dirt that is sticking to their tarnished brand.”