How to tell if .gov has been pwned
- By Matt Leonard
Have I Been Pwned, a website that allows users to see if their email address is associated with a data breach, is now being used by Australian and United Kingdom governments to monitor their domains.
The service was created by Troy Hunt, an Australia-based independent security expert. Hunt announced the government projects in a blog post.
The Microsoft Azure-hosted Haveibeenpwned.com allows individuals to check to see whether their email address has been compromised, and organizations can check whether any of their domain's addresses have shown up in any of the data breaches currently tracked by the system.
With this announcement, all U.K. government domains have been enabled for centralized monitoring by the National Cyber Security Centre. Likewise the Australian Cyber Security Centre can monitor all .gov.au domains on demand, Hunt wrote.
Although the governments will be using a commercial version of the service, Hunt is making it available for free.
Officials will be able to query email address associated with their domain respective -- .gov.uk or .gov.au -- and set up alerts to be notified if any domain becomes associated with a new breach.
“It means that within minutes of one of their email addresses being found and loaded into HIBP, they'll know about it,” Hunt said in his blog post.
Hunt is working with other governments to monitor their domains at no cost. "I can’t go into detail on which governments I’m speaking to until they’re happy to announce it publicly," he told GCN. "I hope to be able to share details on those once they come onboard."
In his testimony before the House Energy and Commerce Committee last year on identify verification, Hunt said many people don't learn they’ve been involved in a data breach until years later. And due to a lack of accountability there isn’t much incentive to make changes, he told lawmakers.
“They trade-off the cost of implementing security controls against the likelihood of a data breach occurring and inevitably, often decide that there’s not a sufficient return on investment in further infosec investments," he said at the hearing. "Without greater accountability on behalf of the organisations involved, it’s hard to see the status quo changing”