Govt asks Have I Been Pwned?
Troy Hunt: The Australian developer of the Have I Been Pwned service
The Australian Government has signed up to the Have I Been Pwned service to monitor its email addresses for breaches and be notified in real-time if one occurs.
The service sends the Australian Cyber Security Centre a notification if any .gov.au email address is included in a third-party breach, with the partnership coming into effect on Monday.
Have I Been Pwned (HIBP) was launched by Australian tech security expert Troy Hunt in late 2013, allowing anyone to check if their email address has been included in a public data breach. It also offers a commercial model, which allows clients to search entire domains.
Mr Hunt provides the service to the federal government for free.
“There are many reasons why that made sense to do, one of which is that it unifies a bunch of existing free searches,” Mr Hunt said.
“Another is that, frankly, we really want governments to do their best to protect the folks working in their departments, many of them are working in capacities that help protect our respective nations from all sorts of threats, and increasingly that means online threats as well.”
The new partnership allows the federal government to search for all .gov.au email addresses along with any connected agencies, such as the CSIRO domain. Real-time notifications would also be sent to the ACSC if a government email address had been affected by a breached.
“It means that within minutes of one of their email addresses being found and loaded into HIBP, they’ll know about it,” Mr Hunt said.
“That’s really important in terms of giving them the ability to respond quickly and by unifying all those existing one-off domain searches, the respective governments will be able to immediately see when an incident has a potentially broad impact,” he said.
“This can be especially important when you consider data breaches such as Dropbox; many organisations of all kinds suddenly learned that a bunch of their people had cloud storage accounts under their corporate email addresses so you can imagine some of the discussions that subsequently ensured.”
In a statement, the ACSC confirmed the partnership with Have I Been Pwned.
“The ACSC will be working in collaboration with Mr Hunt, using the additional data received from haveibeenpwned.com, to monitor Australian government domains found in public third party data breaches,” the statement said.
“From 26 March 2018, the ACSC will be receiving notifications from Mr Hunt when Australian government domains are found in public third party data breaches. These notifications will be triaged and addressed by the ACSC to allow a more efficient cyber response to the threats posed by third party data breaches,” the ACSC said.
The UK government has also signed up to use the Have I Been Pwned service in the same way.
“I’m happy that this effort continues the philosophy I’ve stuck to since the early days of HIBP – that the service should help people do good things after bad incidents occur and that it does so as transparently as possible,” Mr Hunt said.
“I’m very happy that HIBP is now a resource the UK and Australian government can draw on to help their people help all of us live happier online lives.”