Hackers Steal Half A Million CVs From The Guardian

Users of the Guardian jobs website may have had their security compromised after hackers stole up to half a million CVs in a “sophisticated and deliberate” attack, the newspaper company has announced.

The hack, which was interrupted before it was completed, involved the theft of users’ names, email addresses, covering letters and CVs, but not their private account details such as passwords. “We have no reason to believe that any financial or bank data was compromised,” said the Guardian in an email to the victims.

“As soon as we were alerted to the fact that there was a problem, we dealt with it, in line with the information commissioner’s guidance on data protection,” said a Guardian spokesperson. “We felt it was important to be transparent and alert our users as soon as possible.”

The UK jobs website is run by software provider Madgex, which does not store the data on the internet but on separate databases. The Guardian claims that Madgex has identified the way in which data was hacked and has taken steps to prevent a recurrence.

In a security update issued yesterday, the Guardian said that the police are conducting a full investigation through the central e-crime unit at New Scotland Yard. However, it emphasised that public information about the theft has to be kept to a minimum, so as not to compromise the investigation.

A Guardian technology director said that further details of the attack, including numbers of victims and types of data, will be made available in the next few days. In the meantime the Guardian recommends “precautionary measures” such as contacting a credit reference agency and using Cifas, the UK’s fraud prevention service.

Identity theft is a concern for three quarters of UK residents, and there are fears that the recession will drive an increase in criminal activity, according to surveys earlier this year.

Last week the Information Systems Security Association (ISSA) published a white paper, endorsed by MP David Blunkett, setting out guidelines and best practice for companies with regard to clients’ identity protection.

According to the author David Lacey “We need a step-change in our security and management practices: clearer principles, stricter standards and tougher oversight. We must explain to citizens what we are doing with their personal data, and reassure them that we can protect it.”

The Guardian was contacted, but was unable to give any details of how the fraud was carried out before publication.