A sophisticated and deliberate hack has been made against the Guardian Newspaper's jobs website according to an email sent out this month to those potentially affected by the attack. The newspaper has announced that hackers attacked its Job web site provided by Madgex and successfully extracted details of more than 500,000 users. With the potential of an average £2000 per person for direct and indirect losses that means they are on risk for £1 Billion.
Guardian Jobs has about 1.4 million users per month and stores the details of largely professional and public sector workers. So potentially perhaps another 900,000 users are on risk.
Scotland Yard's new e-Crime unit is involved and the newspaper has not released any technical information relating to the attack. The information exposed relates to users names, email addresses, CVs and covering letters presumably with their addresses.
There has been much speculation about the attack with the finger of suspicion being pointed at some form of SQL attack. Other speculators point out that in every 1000 lines of code there will be at least one hidden vulnerability. I suspect they have a hole in their calculator because the vulnerability in some software components is probably far higher.
The reason that planes don't fall out of the sky on a daily basis is not because there aren't any vulnerabilities in the components but because of the security reliability of the system. This is an integrated set of processes, security controls, and their management that leads to an overall reliable system. That is a properly organised risk management system. You can't avoid risks, you manage them.
What we are seeing ever more in the commercial and financial world is the result of a failure in a component for which the system is unable to adequately compensate.
In this particular case the Guardian has provided the potentially vulnerable job seekers with a list of police endorsed steps to take as a precaution. These steps include approaching a reputable credit reference agency such as Equifax and registering with CIFAS the UK's fraud prevention service. Potential victims are also invited to visit web sites such as banksafeonline.org.uk for further advice and information. I haven't noticed too much enthusiasm for the Guardian at the moment although in all fairness the problem does seem to be with their service provider Madgex.
So where does the Office of the Information Commissioner sit in all this? Credit to the Guardian they have apparently been notified immediately the attack came to light which is certainly not true of some of the other high focus attacks such as Heartland and Worldpay who saved their losses of 1.5 Million card holder's personal information until just before Xmas last year hoping it would get lost in the rush.
One can't help feel concerned at the apparent lack of teeth the OIC seems to exhibit. In many of these public cases it is clear that there is an absence of the necessary security culture, we do not have a high security reliability organisation and yet by all rights it is a legal requirement. We were told that the powers of the Information Commissioner would be increased with even the possibility of prison sentences for severe breaches of duty by the senior management of the organisation. At the moment you seem to get more severe penalties for speeding.
I remember when I first started in security realising that it's pervasive and it's the security of the whole that counts. I doubt anybody would argue the concept but that's not what we are seeing today. In the case of the financial institutions and their partners the value of the PCI-DSS (Payment Card Industry Data Security Standard) is currently moving into disrespect, I wonder why ?
Dr David Everett, – Smartcard & Identity News