Data breaches have become an inevitability of life. As sure as we can put data on the web, someone else can take it and then spread it around for all to see. Some of us see it more than others; by virtue of me running the free Have I been pwned (HIBP) service, I see more than my fair share of breaches. I help people understand their exposure by enabling them to find their data on my service but before doing that I always – always – ensure I’m confident the breach is actually legitimate.
Recently, a couple of particular incidents got me thinking about data breach verification. One of those was the breach I wrote about in my last column, namely the incident with 55 million voter records in the Philippines being exposed. This incident was first covered by the press on March 27 when the election commission’s website was defaced yet somehow, at least as of three days ago, they still have no idea if the breach is legit.
I’m confident the breach is legit and I shared the secret to how I reached this conclusion when I wrote an in-depth piece on the breach. I got in touch with people in the data dump and had a discussion with them like this:
Me: Is this your data?
Easy, right? To clarify, I contacted people who were subscribed to HIBP (there’s about 370k of them) and asked for their assistance. I gave them a bit of data and they confirmed whether it was legitimate or not. In some cases, they also provided me with a piece of info to verify which avoided the risk of them simply answering in the affirmative to everything I asked. In this case, one individual gave me a portion of their passport number and sure enough, it was a positive match to the data breach.
Today I’ve been looking at the Naughty America data breach which was in the news 10 days ago. The breach itself is dated March 14 which is a day short of six weeks before the time of writing. Yet somehow, Naughty America have yet to acknowledge the incident. In fact, the first a number of their customers knew of the breach was when I contacted them today and repeated the same process as I’d done with the Filipino voters. Not only did I get affirmative responses, one member of the site even emailed me the original welcome email he’d received from them in 2010, complete with the precise date that was stamped on his record in the data breach.
When I verify breaches in this way, I have access to a fraction of 1% of those involved in the data breach by virtue of their HIBP subscription. When the organisations who are breached attempt to verify the incident, they have access to 100% of the source data, including unique, publicly unknown attributes such as record IDs, time stamps and password salts. If verification is taking them more than 3 hours, they’re doing something wrong. If it’s taking them more than 3 weeks, then there are entirely different reasons and they have nothing to do with verifying the legitimacy of the incident.