The web expert chasing data hacks
Firms may soon be forced to reveal if they’ve been hacked. Julie Iles reports.
Companies often don’t notify customers if their information has been breached, so Australian web expert Troy Hunt has taken on the job instead.
Hunt has created a free service – haveibeenpwned.com – that lets people see if their email has been found in a specific data breach, and what kind of personal information was leaked.
He regularly gets sent links to webpages where people have attached folders of hundreds, even thousands of individual data breaches, some with hundreds of millions of emails and passwords.
When testifying in a United States Congressional Hearing last week about the impact of data breaches, Hunt compared the ‘‘personal stash’’ people have of data collected from data breaches to a baseball card collection.
‘‘There is a culture of sharing data breaches and there are multiple drivers for this; in some cases we see data breaches monetised so we see it being sold ... other times, and this is the one that still blows me away, we see a lot of people simply collecting and redistributing this data,’’ Hunt said.
He recalled seeing 167 million email addresses and 117 million passwords from LinkedIn’s 2012 breach being sold online for 5 bitcoins, which at the time would have been several thousand dollars.
LinkedIn has never clarified how many users were affected by the breach, but reported affected users had to do a mandatory password reset.
When Wellington photographer Cesar Koene used Hunt’s website, he found out that his account and password had been one of those leaked in the 2012 LinkedIn breach.
‘‘I never knew ... I’m a bit shocked actually because you think it’s secure but it’s not really,’’ Koene said.
With no legal requirement requiring companies to tell users if their information has been hacked, those with compromised information are left vulnerable, especially if the password is one the victims use for other things.
Hunt said he knows from combing through thousands of data breaches that passwords being repeated is a widespread issue.
Hunt has seen data theft lead to payday loans taken out under someone’s stolen identity, fraudulent tax returns filed, and ‘‘SIM card hijacking’’.
‘‘It’s a mess at the moment.’’ Hunt said sometimes companies are not even aware of breaches that have left personal information floating around the web.
He recently identified a 2014 data breach from image sharing website Imgur.
‘‘They didn’t know they had a data breach until someone sent it to me and I got in touch with them and said, ‘I have millions of records of your data’.’’
The Law Commission first proposed making mandatory breach reporting part of the new Privacy Bill, which is currently being drafted by Parliamentary Counsel and the Ministry of Justice.
Privacy Commissioner John Edwards said without mandatory breach reporting, ‘‘we don’t have any information about how many data breaches there have been, and how many get reported, and how many get swept under the rug.’’
‘‘All we know is what people choose to tell us and what we learn from the big international
incidents like Ashley Madison, like the LinkedIn, like the Uber breach.’’
Edwards hoped changes to the Privacy Act would require companies that have been breached to pay a larger fine, and compel companies to prove they have changed vulnerable security systems after a breach.
He recommended that Parliament adopt fines of up to $1 million for corporations that do not report breaches into the Privacy Act.
‘‘At the moment there is no fine … but I think the case for fines is compelling.’’
The Privacy Commission has found companies in New Zealand
are hesitant to part with client information, even when they are required to under law.
About 60 per cent of the complaints that come to the Privacy Commission are from people who want information about themselves but are not being given it.
The European Union plans to pass a law in May of next year called General Data Protection Regulation (GDPR).
As it stands, the law will have the power to fine up to 4 per cent of global revenue, which for companies like Amazon, Google, and Facebook could be billions of dollars..
The complexity of online financial crime is escalating and the new Government has been handed the task of thickening New Zealand’s armour.
Symantec technology strategist Mark Shaw said New Zealanders should expect to see more bank accounts hacked and more money stolen next year.
Artificial intelligence made light work for cyber-criminals who were increasingly using consumers as loopholes to target company accounts, he said.
New Zealanders lost a total of $730,000 from 364 cyber incidents reported to the Computer Emergency Response Team (Cert NZ) in the three months to June this year.
In a briefing to the incoming minister (BIM) responsible for cyber-security policy, officials warned of increasing threats.
‘‘Encryption, artificial intelligence, machine learning, and the Internet of Things, will make the threat environment more challenging.’’
The briefing suggested the new Government update the cybersecurity action plan and prioritise improving the ability to prevent, investigate and respond to cyber crime, particularly within the New Zealand Police.
‘‘We can do more to address cyber-crime by allocating resources and specialised training for law enforcement.’’
The second priority for Government was redacted from the BIM.
Government Digital Services Minister Clare Curran said she knew the issue was significant and agreed that the action plan needed refreshing.
She said she would ‘‘lead a body of work’’ on the topic during her term, alongside Police Minister
Stuart Nash and Justice Minister
Andrew Little.
When asked what she would like her legacy to be in this area, Curran said cyber-crime awareness was top of her mind.
‘‘I want all New Zealanders to feel more informed, more safe and more equipped.’’
She commended the previous government’s cyber-security work, but said progress was too slow given the rapid growth of cybercrime.
‘‘We have got to work more swiftly in this space because cyber-crime is growing as a component of any country’s security issues,’’ she said.
‘‘I want us to show some leadership in this area because we are a small agile country.’’
She did not think New Zealand was overly vulnerable, but agreed that capability to fight cyber-crime needed bolstering, she said.
Cert NZ, the ‘‘Ghostbusters of the cyber environment,’’ did not have adequate resources to deal with the amount of reports it received, she said.
Cert’s helpline is open from 7am to 7pm, Monday to Friday.
The Cabinet is due to consider Cert’s future this month. Curran said that work was underway but had not yet been finalised.
She said she could not say if a boost for the police’s Financial Crime Group, Cyber-crime Unit or Cert was in the pipeline.
Shaw said the Government was required to play a role in fighting financial cyber-crime, but it should not be left to do so on its own.
The public and private sector joining forces was key, he said.
The police’s Financial Intelligence Unit formed a network with banks ANZ, ASB, BNZ, Kiwibank and Westpac this month.
The one-year-long pilot of the New Zealand Financial Crime Prevention Network aims to strengthen banks’ resilience against cyber-criminals exploiting their customers.
Detective Superintendent Iain Chapman said as technology became more sophisticated, so too did criminals.
"We have got to work more swiftly in this space because cybercrime is growing."
Government Digital Services Minister Clare Curran.