Dow Jones Subject to Data Breach

Dow Jones Subject to Data Breach:

Per The Wall Street Journal, Dow Jones & Co. (Ticker: DJI) are the next name in a long line of victims of cyber attacks and data breaches. According to Reuters, Dow Jones has not found any direct forensic evidence and “had taken steps to stop the breach.” These steps may be too late.

“The data breach potentially accessed payment card information for fewer than 3,500 individuals, said Dow Jones, a unit of News Corp (Ticker: NWSA) and owner of The Wall Street Journal, MarketWatch and Barron’s. The goal of the broader hack seems to have been to obtain contact information, Dow Jones said” (The Wall Street Journal, 2015).

CNBC is reporting that “The system was breached between August 2012 and July 2015.” That is too long of a period for any cyber attack or data breach to be ‘in progress’ without detection, especially when customer payment data is included. ”

“Dow Jones CEO William Lewis said the company found ‘no direct evidence that information was stolen.’ The hackers appeared to target contact information in order to send fraudulent messages to customers, he added” (CNBC & NBC News, 2015). Dow Jones CEO, William Lewis told Fortune (2015) “We understand that this incident was likely part of a broader campaign involving a number of other victim companies.”

Our Analysis

Taking this long to discover an attack or breach is uncalled for. I give Dow Jones & Co. kudos for reporting quickly and seemingly transparently. Ultimately, this should have been avoided. Depending on the attack vector, there are several mitigating measures that could have been applied:

  1. Santization of inputs to prevent SQL Injection or any other code injection
  2. Using “Strong Passwords” or pass phrases and changing them frequently
  3. Implementing a strong vulnerability management and scanning program
    1. This could have prevented any information disclosure vulnerabilities from un-patched software
    2. This could have uncovered the vulnerable asset and prompted someone to fix it
  4. A security awareness program that educates users about passwords, internet security & safety, and phishing/social engineering would have prevented and/or delayed the attack
  5. A good information security policy would have spelled all of this out
  6. An insider threat awareness program could have identified anyone that may have attempted this internally

While there are some vulnerabilities that cannot be remediated and there will always be some risk of an attack of some sorts. By implementing the best practices and a sound security program, most issues are minimized or eliminated. The issue here is that too often, organizations see the minimum security requirements as the end all/be all without thinking about the possible damage to the organization and/or its reputation. Regulatory compliance like PCI or Sarbanes-Oxely (SOX) is great; but it is not holistic for the organization as a whole, merely a small subset. While it may not be the case here, it certainly could be.

Other High Profile Breaches:

Experian (includes T-Mobile)
Trump Hotels
Tesla and Chrysler (unrelated to each other)
Apple App Store
U.S. Office of Personnel Management (OPM)
Kaspersky & FireEye (unrelated to each other)
Excellus Blue Cross Blue Shield
Ashley Madison
Ashley Madison (follow up)

Thanks for stopping by and reading our blog. We would appreciate if you could subscribe (assuming you like what you read; we think you will). This is meant to be informative and to provide value to anyone who reads this – regardless of their knowledge and/or understanding of IT/Cybersecurity. To learn more about us, check out our “About Us” page.

Be sure to subscribe to this blog and to our Podcast.


The Wall Street Journal
NBC News

Enter your email address:

Delivered by FeedBurner

Subscribe to our mailing list

* indicates required

About Joe Gray

Joe Gray joined the U.S. Navy directly out of High School and served for 7 years as a Submarine Navigation Electronics Technician. Joe is currently a Senior Security Architect and maintains his own blog and podcast called Advanced Persistent Security. In his spare time, Joe enjoys attending information security conferences, contributing blogs to various outlets, training in Brazilian Jiu Jitsu (spoken taps out A LOT!), and flying his drone. Joe is the inaugural winner of the DerbyCon Social Engineering Capture the Flag (SECTF) and was awarded a DerbyCon Black Badge. Joe has contributed material for the likes of AlienVault, ITSP Magazine, CSO Online, and Dark Reading.