Up to half-a-million people could have had their personal details compromised in the hack of the Guardian Jobs website.
The security breach, news of which emerged at the weekend, exposed the personal data of people who had used the site to submit job applications. Guardian News and Media Group said on Monday that it had no clear idea of numbers affected, but had emailed approximately half a million users on Saturday as a precautionary measure. The site has over 10 million unique users per year.
In its email, the publishing company said the employment site had been "targeted by a sophisticated and deliberate hack".
A spokesperson for Guardian News and Media declined to give ZDNet UK any technical details of the breach, which is being investigated by the Police Central e-Crime Unit."We cannot share details of the hack, since to do so might prejudice the ongoing police investigation," the spokesperson said.
The Guardian Jobs website is outsourced to third-party jobs board provider Madgex, the publishing company confirmed on Monday. Madgex told ZDNet UK on Monday that hackers had accessed job seeker CVs on Guardian Jobs. Madgex chief executive Simon Conroy added that other Madgex clients, which include News International, Reed Elsevier, and Haymarket, had not been affected.
"We are not aware of any other Madgex-operated website having been targeted in this way, but we have taken preventative measures to ensure the same issue cannot occur with other client Job Boards," said Conroy in an email statement.
Commenting on the Guardian Jobs breach, security vendor Websense said people should be aware their personal details may be used in highly targeted attacks.
"With the bad guys having access to personal information about the target, it makes it possible to create a very attractive and believable email that will have a high likelihood to trick the recipient into clicking on a link or running the attachment," said Patrik Runald, senior manager of Websense security labs, in an email statement.
The Guardian is not obliged by UK law to send a breach-notification email to those who may have have been affected, but instead was following best practice as advocated by privacy watchdog the Information Commissioner's Office, the Guardian Jobs website said in a security update on Sunday.
While the House of Lords called for a data-breach notification law in July 2008, the government rejected that call in November, saying only that companies should report data-loss incidents "as a matter of good practice".
However, European information commissioner Viviane Reding said on Monday that the EU is considering new rules to protect consumers who lodge details with an online service provider. In a speech in Brussels, Reding said the recent illicit collection of data from German social-networking site Schueler VZ showed such companies may also need to be governed by data-breach legislation.
"Obligations to ensure protection against data breaches cannot be limited to electronic communications networks alone, but may need to be addressed in new EU rules which cover online services as well," Reding told an audience of security professionals.
Data-breach notification may become mandatory for ISPs through the Telecoms Package that is expected to be passed by the European Parliament in the coming months.
"When a security breach happens, the operator will have to inform the authorities and those citizens who may face harm as a result of the loss of their personal data," said Reding. "Furthermore, network operators must notify the competent national regulatory authority of a breach of security or loss of integrity that had a significant impact on the operation of networks or services."