An IT security vulnerability found on all of News Corp’s major metropolitan websites in Australia and uncovered by an IT security expert gave the expert the potential to access all of its newsletter subscribers’ highly personal information, including their household income.
Other details found to have been exposed included an email subscriber’s mobile number, year of birth, how many children they have, whether they are the household’s main grocery buyer, their first and last name, postcode, occupation, interests, email address and gender. No credit card information or passwords were exposed.
The information of anyone who had ever signed up to receive a News Corp metropolitan newspaper newsletter was available. Sydney’s Daily Telegraph, Adelaide’s Advertiser, Melbourne’s Herald Sun, Brisbane’s Courier Mail, Hobart’s Mercury and The Australian all hosted subscriber information on the newsletter database found to contain the vulnerability.
A number of regional News Corp newspaper websites also used the same database.
There is no evidence to suggest the vulnerability was exploited by a hacker with malicious intent, but the security expert who found it, who didn’t want to be identified, said there was no way of knowing for sure.
In a statement on Wednesday night, News Corp said it had found “no evidence of malicious access” and would “continue to examine” whether malicious access had occurred.
It shut down the relevant systems after being informed of them being vulnerable on Wednesday afternoon by Fairfax Media, causing the information to become inaccessible.
“We sincerely apologise for what has happened,” it said. “We are investigating this matter thoroughly to ensure this does not happen again.”
The apology is set to appear in all of News Corp’s metropolitan newspapers on Thursday and some of its regional papers.
Collectively, News Corp reported in July that its websites had more than 100,000 paying subscribers, and many more who have registered to use their metropolitan sites since they launched a new digital subscription service called news+ in May. It is unknown how many of those subscribers and others make use of its newsletters.
The security expert said he brought the vulnerability to Fairfax Media’s attention in order to highlight its existence.
Though not all newsletter information was mandatory to fill in when signing up, Fairfax Media has seen a number of newsletter subscriptions that were fully filled out.
“It looks like no one has gone through the right steps [in News Corp’s IT security department to secure the website],” the security expert said. “[The vulnerability] is really simple to fix.”
The expert said he found the vulnerability when unsubscribing from a News Corp newspaper’s newsletter and said that it would look “embarrassing” for the media company when revealed. He also claimed it was likely a hacker had already used the same vulnerability he found to mine the database for subscriber information, though could not prove this.
Source: www.smh.com.au – Ben Grubb