Over the last few years, the website Have I Been Pwned (HIBP) has given people the chance to check whether their personal data was compromised in any data breaches. Now the site reveals that the UK and Australian governments are using its services to monitor official domains.
That governments should check the site's database for the presence of their own email addresses is perhaps not surprising -- it's used by just about every type of body imaginable. But now the mechanics have been opened up for these two governments.
Troy Hunt, the creator of the site, explains that the service has been tailored to the governments by directing HIBP's commercial model to a particular set of domains. He says: "As of now, all UK government domains are enabled for centralized monitoring by the National Cyber Security Centre (NCSC) and all Australian government domains by the Australian Cyber Security Centre (ACSC)."
Hunt shared the news on Twitter:
HIBP is not benefiting financially from either government, as Hunt explains:
I've always wanted HIBP to be first and foremost a freely available service for email and verified domain searches and particularly in this industry, it's very easy for financial motives to taint the ethics of how this data is dealt with. To that point, I've made this available to the NCSC and the ACSC without any commercialization whatsoever -- they get it for free.
He goes on to talk about what the governmental offerings means:
For example, the UK government can query any .gov.uk domain on demand and the Aus government can query any .gov.au domain on demand. They can both also query a small handful of whitelisted domains on different TLDs, for example, The Commonwealth Scientific and Industrial Research Organisation (CSIRO) runs on csiro.au so that domain is whitelisted for the ACSC in addition to the .gov.au TLD. What this means - and this is enormously important - is that the NCSC and ACSC can't turn around and query, say, troyhunt.com. The only access they have is to domains that their people working in those departments could query anyway via the existing free domain search model, we're just consolidating it all into a unified service.
As part of that service, they'll also be using the existing notification service that commercial subscribers have access to. This is a webhook model which calls back into an endpoint the respective governments host. Every time an alias on one of their domains is seen in a new data breach or a paste, the incident is automatically posted to them. It means that within minutes of one of their email addresses being found and loaded into HIBP, they'll know about it. That's really important in terms of giving them the ability to respond quickly and by unifying all those existing one-off domain searches, the respective governments will be able to immediately see when an incident has a potentially broad impact. This can be especially important when you consider data breaches such as Dropbox; many organizations of all kinds suddenly learned that a bunch of their people had cloud storage accounts under their corporate email addresses so you can imagine some of the discussions that subsequently ensued.
You can check out the site for yourself at https://haveibeenpwned.com/.