July Sun newspaper hack leads to bigger data loss as readers' details are posted online

Readers of The Sun have been warned that personal details which could include email addresses and phone numbers were stolen as part of the hack of News International systems last month and have been posted online.

Hackers managed to break into News International in July, exploiting what many believe to be a common remote file inclusion vulnerability to post a fake story about the death of Rupert Murdoch.

News International's customer data director, Chris Duncan, told readers in an email sent on Monday evening that the company is working with the police and the Information Commissioner's Office (ICO) to ensure that the files are retrieved.

"As you may be aware, on 19 July The Sun web site was subjected to an organised criminal attack. It has now come to our attention that some customer information from competitions and polls was breached as part of this attack," he said.

"Details vary but could include name, address, date of birth, email and phone numbers. No financial or password information was compromised."

The hacker, known as 'Batteye' on Twitter, has already begun posting some of the files in question, including competition lists, and promised to disclose more information in a message on Pastebin.

"We will begin today by presenting to you various files obtained from The Sun, a company within the News Corp group," read the statement.

"We will continue, then, by exposing the world for what it is; a less than perfect place where we cannot trust those who we ask to protect our information."

It was thought that LulzSec had hacked News International on 19 July, leading to the fake Sun story, but @batteye's Twitter feed suggests that the hacker is "not in @lulzsec".

Another post said: "I'm not really with Anonymous ... but then again I sort of am, aren't I?"

Mike Smart, European product and solutions director at security firm SafeNet, warned that consumer brands must take their data protection responsibilities more seriously.

"While News International acknowledges that financial details are secure, as you would expect the loss of so much unencrypted soft social data on names, addresses, emails and date of birth offers a delicious feast of possibilities for scammers and spear phishers," he said.

Jacques Erasmus, a web expert from security vendor Webroot, added that any organisations whch find they have breached customer details should undergo "a complete rebuild" of their online infrastructure.

"Simple steps like ensuring all cyber hygiene protocols are practised and that all PCs and devices have the most up-to-date AV software installed must not be ignored," he added.

"This, coupled with a well defined vulnerability management process and understanding of what information is of value to the organisation, will ensure companies are aware of any vulnerabilities and have the necessary patch in place before criminals are able to attack."

An ICO spokesman said the watchdog had been informed of a "possible data breach".

"We will be making enquiries into the circumstances of the alleged breach of the Data Protection Act before deciding what action, if any, needs to be taken," he added.