If Net data is breached, site can tell you

Troy Hunt (left), an Australian information security researcher and troubleshooter, participates in a hearing last week before the U.S. House Committee on Energy and Commerce on the impact of data breaches.
Troy Hunt (left), an Australian information security researcher and troubleshooter, participates in a hearing last week before the U.S. House Committee on Energy and Commerce on the impact of data breaches.

Troy Hunt has collected a trove of 4.8 billion stolen identity records pulled from the darkest corners of the Internet -- but he isn't a hacker.

Instead, he uses that repository to help ordinary people navigate the growing scourge of the corporate data breach. All that personal information was originally taken from brand-name services such as LinkedIn, Kickstarter, Dropbox, MySpace and the cheating website Ashley Madison and later assembled by Hunt.

Working barefoot and in beachwear from his home office on Australia's Gold Coast, the amiable security researcher set up his irreverent website, Have I Been Pwned? (rhymes with "owned"), in 2013. Millions of people have since used the free service to see whether hackers have liberated their personal details from unwary companies and posted them online.

Along the way, Hunt has become a close student of data breaches and the slipshod security that makes many companies easy prey for attackers. He's exposed several such thefts himself, in some cases identifying them before the companies themselves did.

"Pwned" -- a deliberate misspelling of "owned" -- is slang used by gamers to mean "utterly defeated." It's an apt description of what it's like to have criminals use your Social Security number, birth date and other personal details to commit fraud in your name.

Hunt was invited to appear before Congress in late November to help lawmakers wrestle with this growing crisis of consumer data theft. In just the past two years, attackers have stolen sensitive information about hundreds of millions of people from the credit bureau Equifax, popular online services such as Uber and too many other companies to count.

Much of that stolen data flows directly into the black market. "Data breaches are another commodity, like heroin," Hunt testified last week before the House Energy and Commerce Committee.

Hunt's unlikely path from Queensland's Surfers Paradise Beach to what he describes as "fancy government things" on Capitol Hill has been a running joke since his invitation to testify was announced. Virginia Republican Rep. Morgan Griffith, introducing Hunt to lawmakers, noted that he "put on a suit and tie for us when he normally wears jeans and a black T-shirt."

Hunt said he splurged on the brand-new Hugo Boss suit and Australian outback-style boots because he didn't have anything else to wear. He also downloaded an app that instructed him on how to tie his necktie.

"Doing my best 'no really, I'm a professional' impersonation," he tweeted from the U.S. Capitol steps shortly before the hearing. "Did it work?"

Of course, this "new normal" of huge data breaches is no joke. So much personal data has been publicly exposed through both theft and voluntary sharing on social media that it's eroded traditional methods for verifying identity, such as user names, passwords or knowledge-based questions about birthdays or family history.

In late November, Hunt helped discover a 2014 breach of the photo-sharing website Imgur after analyzing data from the hack passed along by one of his sources. Unlike Uber, which hid a recently disclosed breach of more than 57 million stolen passenger and driver records for a year, Imgur took just 25 hours to go public after Hunt emailed the San Francisco company on Thanksgiving Day.

"Troy Hunt was extremely helpful in bringing the data breach to our attention and ensuring the sensitive data was passed to us in a secure manner," Roy Sehgal, Imgur's chief operating officer, said in an email.

Hunt originally launched his site "as a bit of a curiosity," he said. At the time, he was a software architect at pharmaceutical giant Pfizer; a few years later, he quit to work as an independent information security consultant and instructor.

The researcher was analyzing data breaches floating around the Web and noticed that many people were turning up in multiple data breaches. "It struck me that this was something they probably didn't know," Hunt said in a phone interview.

People using his site can search on their email address to see whether and where their records have been exposed. Roughly 1.7 million people also subscribe to alerts that sound when their details pop up in newly discovered breaches. The website's user base has grown rapidly as bigger data breaches -- some many years old -- get attention.

Hunt "has credibility and integrity," said U.K.-based security researcher Ian Thornton-Trump, who has used Hunt's site to build a system that keeps customer credentials safe from attacks that reuse previously disclosed passwords. "He's resisted urges, and probably significant financial value, to sell out."

Hunt warned Congress that there's now a "perfect storm of data exposure" thanks to the growth in online services that are collecting more information than they really need. He also slipped in a suggestion that that the U.S. government, like some of its counterparts elsewhere, should do more to penalize companies that don't disclose their breaches properly.

Business on 12/06/2017

Upcoming Events