Security Experts:

Dow Jones Suffers Data Breach

Malicious Hackers Target Subscriber Information in Dow Jones Breach

Business news and financial information provider Dow Jones & Company revealed on Friday that its systems had been breached by malicious actors who might have stolen subscriber information.

The News Corp-owned company and publisher of the Wall Street Journal told customers that it learned of the breach after it was alerted by law enforcement in late July. Following an investigation conducted in collaboration with a cyber security firm, Dow Jones determined that attackers accessed its systems “at certain times” between August 2012 and July 2015.

According to law enforcement, Dow Jones is just one of the several organizations targeted by malicious actors as part of a broad campaign. In the case of the financial news provider, the hackers appear to have targeted the contact details of current and former subscribers, including names, addresses, email addresses and phone numbers, information which they wanted to use to send out fraudulent solicitations.

The attackers might have also accessed financial information, including payment card and contact details, belonging to roughly 3,500 individuals. However, there is no direct evidence that any information has actually been stolen or misused, Dow Jones CEO William Lewis said in a letter sent out to customers last week.

Individuals whose financial details have been exposed will receive letters informing them about the incident and they will be offered free identity protection services. Dow Jones believes there is no need for customers to change their passwords since the information is encrypted, but it’s unclear what type of encryption or hashing system has been used.

Regarding the more than two month delay in notifying customers, Lewis said the company’s goal has been to quickly contain and investigate the breach, and then provide accurate information as soon as possible.

Dow Jones customers concerned about their online account are advised to contact the company’s customer service department at 1-800-JOURNAL.

“In today’s world – where literally anyone connected to the Internet is vulnerable – it’s no longer just a question of spending, it’s a question of processes and skills. Following the Dow Jones breach, I’m heartened that the CEO has publically said that no company is immune to cyberattacks. Solely recognizing that all organizations need comprehensive security solutions is the first step to reducing the onslaught of breaches we’ve witnessed over the last few years,” Grayson Milbourne, security intelligence director at Webroot, commented on the incident.

“As large company breaches have revealed, security isn’t always a question of budget but also a question of skills and background checks. The name of the game is to find out what is going on in an environment and reduce the risk,” Milbourne told SecurityWeek. “Overall, there is a clear trend of attacks that aim to compromise companies who store vast amounts of user data. These businesses need to prepare for continued attacks by updating their security policies and systems to be on high alert.”

This is not the first time Dow Jones has been targeted by malicious hackers. The company was one of the many victims of an international hacking scheme in which the members of a criminal enterprise caused $300 million in losses between 2005 and 2012. The crime syndicate, whose leader recently pleaded guilty in a US court to charges of conspiracy to commit wire fraud and unauthorized access of protected computers, is said to have stolen 10,000 login credentials from Dow Jones.

The Wall Street Journal has also been targeted by malicious actors. The company took some of its computers offline in July 2014 after detecting an intrusion.

Related Reading: US Busts Hacking/Insider Trading Ring

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.