The Daily Telegraph’s recent attack on Information Commissioner Elizabeth Denham’s reign, in which the newspaper claimed she had chased headlines and wasted money on travel instead of doing her job, has come back to bite it on the derrière following a major data security cock-up.
According to security researcher Bob Diachenko, the Telegraph left 10 terabytes of subscriber data and server logs open to a breach for nearly three weeks after failing to properly secure one of its online repositories, held in what are called Elasticsearch clusters.
Diachenko said the cluster was freely accessible “without a password or any other authentication required to access it”. At the time of his review, the personal details of at least 1,200 Telegraph online subscribers were accessible without a password. It included users’ full names, email addresses, device details, IP addresses, URL requests, unique reader identifiers and authentication tokens.
The incident has also reportedly exposed a handful of gov.uk email addresses and a large number of internal server logs. After identifying the issue, Diachenko immediately alerted the newspaper about the threat and the database was secured the same day.
Telegraph bosses insist that while the data was exposed, it was not breached. In a statement the group said: “An investigation showed that only a small number of records were exposed – less than 0.1% of our users and we have contacted all the users to advise them.”
However, Diachenko warned that cyber criminals could easily use names and emails in the database for nefarious ends.
It is not known whether the company has reported the security lapse to the ICO but it will no doubt be hoping officials will not “chase headlines” on this occasion.
And the incident is likely to raise more than a wry smile at the regulator’s Wilmslow HQ, where officials were forced to jump to the defence of Denham’s record following the August article, seemingly inspired by long-term critics of the Commissioner’s record.
Telegraph leader writers then put the boot in further, and, under the headline “The Information Commissioner’s Office is letting us down”, insisted the “public deserves better than the ICO titling at politically fashionable windmills”.
In response to the Telegraph claims, the ICO said: “We reject the claims that we chase headlines. The ICO takes a proportionate, pragmatic approach to its regulatory responsibilities. The approach is designed to build the public’s trust and confidence in data protection. Modern regulation uses a wide range of tools. Fines and penalties are always a last resort.”
Related stories
ICO defends its record after scathing Telegraph report
MPs warn new data regulator must not be Govt patsy
‘Abusive’ home improvement business nailed by ICO
Another fine mess? ICO still failing to get rogues to pay
At last, ICO issues the first PECR penalty in six months
Rogues go free as nuisance call crackdown is sidelined
Half of last year’s £2m fines for PECR breaches unpaid
Show us the money: £7m in ICO fines still outstanding