Hacker Leaks Data From Sydney Morning Herald Archive SiteBreach Involved a SQL Injection Attack
A hacker published personal information, including email addresses, from a database of subscribers for an online archival service of Fairfax Media's Sydney Morning Herald in Australia.
The database was breached by a SQL injection attack, said Francis Armstrong, founder and managing director of Smedia, a Melbourne-based IT services company that Fairfax used as a contractor to run the archival service.
SQL injection is one of the most common types of attack against web applications. Hackers try different variations of SQL queries to see if backend databases will divulge data.
Armstrong said he found out about the breach the morning of May 20, and the vulnerability is in the process of being patched.
A Fairfax Media spokesman said the archive service runs on different systems than the company's classified and transactions businesses. The websites of the Sydney Morning Herald and The Age, another Fairfax publication, were also not affected.
"The data may include email addresses for example, but not financial information, for a limited number of users of the archive editions," he said.
The Herald's archive service, launched in 2006, offers paid access to newspaper editions dating from 1955 to 1995.
Risk Based Security of Richmond, Va. first reported the breach on its blog May 19. The company said it had contact with the hacker, who goes by the nickname "sn0n."
A total of 13,000 records were posted in two batches on a public website, according to Risk Based Security. The records contained email addresses and hashed passwords, purportedly for the Sydney Morning Herald's archive site and one for The Age, the security firm says.
The hacker claimed that the database also contained credit card numbers with expiration dates, subscriber names, phone numbers and some limited address information, but he chose not to release the full information, Risk Based Security reports.
Armstrong said, however, that his company's investigation showed that the accurate number of records leaked was less than 7,000, and those records pertained to only the Sydney Morning Herald archive site.
He said there was no credit card information in the database because Smedia uses a third-party payment gateway. That provider would not have stored plain-text credit card data in any case, he said.
In cooperation with Fairfax Media, Smedia plans to notify subscribers whose email addresses were leaked. "We are identifying exactly the email addresses, and then either Fairfax or [we] will prepare a communication," Armstrong said.
Breach Notification Requirements
Australia does not have a mandatory data breach reporting law. Organizations are under no obligation to notify consumers under the Privacy Act or the Office of the Australian Information Commissioner.
However, the country has been mulling legislation that would make reporting data breaches to consumers and regulators mandatory in certain circumstances. In March, the government concluded a public consultation on draft legislation. No action is likely, however, until after Australia holds a federal election on July 2.
Armstrong said the decision to notify customers was made in part because of the close community of archive subscribers. When people hear about data breaches, "you assume the worst," he said.