Accurate, Focused Research on Law, Technology and Knowledge Discovery Since 2002

Behind the Scenes at ‘Have I Been Pwned’

Via Slashdot and contributor slincolne [the link is behind a paywall]: “The founder of the data-breach notification site Have I Been Pwned manages “the largest known repository of stolen data on the planet,” reports Australia’s public broadcaster ABC, including over 6 billion email address. Yet with no employees, Troy Hunt manages all of the technical and operational aspects single-handedly, and “has ended up playing an oddly central role in global cybersecurity.” Troy is very careful with how he handles what he finds. He only collects (and encrypts) the mobile numbers, emails and passwords that he finds in the breaches, discarding the victims’ names, physical addresses, bank details and other sensitive information. The idea is to let users find out where their data has been leaked from, but without exposing them to further risk. Once he identifies where a data breach has occurred, Troy also contacts the organisation responsible to allow it to inform its users before he does. This, he says, is often the hardest step of the process because he has to convince them it’s legitimate and not some kind of scam itself. He’s not required to give organisations this opportunity, much less persist when they ignore his messages or accuse him of trying to shake them down for money. But there’s evidence that this approach is working. Despite the legal grey area he has operated in for a decade now, he’s avoided being sued by any of the organisations responsible for the 705 breaches that are now searchable on Have I Been Pwned. These days, major tech companies like Mozilla and 1Password use Have I Been Pwned, and Troy likes to point out that dozens of national governments and law enforcement agencies also partner with his service… “He’s not a company that’s audited. He’s just a dude on the web,” says Jane Andrew, an expert on data breaches at the University of Sydney. “I think it’s so shocking that this is where we find out information about ourselves. She says governments and law enforcement have, in general, left it to individuals to deal with the fallout from data breaches… Without an effective global regulator, Professor Andrew says, a crucial part of the world’s cybersecurity infrastructure is left to rely on the goodwill of this one man on the Gold Coast.”

Sorry, comments are closed for this post.