When people use their work email addresses to register for external websites it causes a security risk because so many people reuse the same password for all their accounts. When an external account is breached and the password is disclosed it means that our internal systems could be at risk as well as other external services the user has registered for. “Credential Stuffing” is when attackers re-use username and password combinations in bulk on popular online resources to exploit password reuse.
Ideally, websites would always tell us if our password had been compromised but this isn’t always the case. Keeping up with which of our online services have been compromised and which passwords need to be changed can be a challenge given the sheer number of security breaches. Fortunately for us, Troy Hunt has created an online service called “HaveIBeenPwned” that can advise if anyone on your organisation’s email domain has been associated with a security breach. It will show you which breach it is associated with so that you can take action to change passwords if needed. HaveIBeenPwned is a fantastic security awareness tool to help people understand the risks of password reuse. It’s also worth encouraging users to register their personal email addresses. Best of all, it’s free!
Unfortunately, in my experience Legal teams can be neophobic and object to registering organisational domains with this service, especially for organisations subject to EU privacy law. Here are some common legal objections and some suggestions on how you can deal with them:
This is stolen content and it’s wrong for us to subscribe to a service that indexes stolen data. It’s useful to make a physical comparison here. Imagine that someone illegally leaked stolen data from a supplier which showed that the fire protections in your organisation’s head office were ineffective. Would you really say that you couldn’t act on it and the right thing to do was to remain at risk? Once you know about the risk, regardless of the source you have to act. It would be unethical to do anything else.
We need people’s permission to process their personal data. This stems from a work email address being considered personal data. While it’s ideal to get people’s permission for any kind of monitoring at work, it’s not strictly required. By all means let people know that you’re using the service but don’t wait for permission. Principle seven of the Data Protection Principles requires us to use ‘appropriate’ security controls to protect people’s personal data. Given that password re-use is endemic, we can’t ignore the relevance of external breaches to our own authentication systems. This is a case where the processing of personal data is clearly in the interests of the Data Subject since there’s a good chance they use the same password (or variations) for their personal accounts at home.
How do we justify doing this? How can we justify not doing it? See above about the Data Subject’s best interests.
How can we trust “Troy Hunt”? How can we trust anyone? On the internet we can’t tell the difference between a dog and organised crime. Troy has made every effort to be transparent about the service he runs but the real point is about the impact of false positives and false negatives. In the case of a false negative you’re no worse than where you started. For false positives, changing a password when you didn’t need to is a minimal overhead. The prize here is the chance to take action to change passwords and protect accounts before criminals can exploit them.
What if it shows that users have been using their work emails for services such as AshleyMadison.com? Nobody in Legal wants to be the one who approved a process that could result in huge embarrassment, potentially for senior executives. However, the breach has already happened. Not taking action invites further harm and also increases the chance of blackmail.
HaveIBeenPwned is rapidly passing a cultural tipping point in security best practice with government departments signing up and breached sites using it to notify their users. If you haven’t already registered your organisation’s email domain then you need to have a meeting with your legal team.