Have I Been Pwned.com is a website that allows Internet users to check if their personal data has been compromised by data breaches. The service collects and analyzes dozens of database dumps and pastes containing information about hundreds of millions of leaked accounts, passwords and credit card details for example, and allows users to search for their own information by entering their username or email address.
In late August 2017, 700m email addresses, as well as a large number of passwords, were leaked publicly thanks to a mis-configured spambot, in one of the largest data breaches ever. Just to put that number – 700 million – into a sense of perspective for you, that was at the time – almost one address for every single man, woman and child in all of Europe.
“A “data breach” is an incident where a site’s data has been illegally accessed by hackers and then the data being released publicly. The types of data that are usually compromised are – email addresses, passwords, credit cards etc – this is why it is necessary and important to change one’s passwords regularly.
Now local government organisation such as Shepway District Council handle data from the general public and its contractors by necessity. Therefore it is imperative that members of that organisation are well versed in online security practices in order to keep the public’s data secure, as well as commercially sensitive data too. With services available to identify compromises in security freely available online, such as haveibeenpwnd.com we hope they use it or an equivalent regularly.
It is known that both Cllr David Monk’s and the Chief Executive – Alistair Stewart’s (pictured above) SDC email accounts – were both part of a data breach in August 2017, in which some of their SDC information was harvested by a “spambot” called Onliner Spambot
Such incidents raises some very serious questions:
Did Councillor Monk and Mr Stewart know about the breach?
Did Councillor Monk, Mr Stewart raise the alarm about suspect emails being sent to them?
Did they report any breach to their IT personnel?
Did the IT personnel identify it on their system?
What steps if any were taken subsequently by SDC, if Cllr Monk/Mr Stewart informed the IT personnel?
Was/has any data lost due to the breach?
While it is impossible to deduce the reason behind attempts from such an incident knowing the answers to these questions would indicate how seriously the safety of our valuable personal data is being taken, especially as Cllr Monk is the Leader of Shepway District Council and Alistair Stewart is the CEO and each receive “commercially sensitive information”, including information from constituents across all wards in Shepway, IT security should be paramount at all times.
It isn’t just SDC who should be concerned. In the same month the same “spambot” breached lance dot batchelor at saga dot co dot uk, Group Chief Executive Officer of Saga (pictured). What did Lance and his IT department do?
Being in the data set gives little insight into where Cllr Monk, Alistair Stewart or Lance’s email address were obtained from, nor what they could actually do about it.
Data breaches are now a fact of life and yet many people have no idea what to do or who to turn to when their personal data is compromised. The Government should use the data protection bill which began its journey through Parliament on the 18th Jan this year, to give independent bodies the power to seek collective redress on behalf of consumers when a company has failed to take sufficient action following a data breach, we and other believe.
Damian Collins MP for Folkestone & Hythe should really consider joining the second reading as he email address – damian dot collins dot mp at parliament dot uk, appears as being compromised on haveibeenpwned dot com.
Alistair Stewart CEO of SDC, Cllr David Monk, Leader of SDC and Damian Collins MP for Folkestone & Hythe have each placed their respective organisations at “substantial risk” which cannot sensibly be ignored having regard to the nature and gravity of the feared harm their compromised data may do/have done to their respective organisations.
We hope they and their organisations will do all they can to prevent any further data becoming compromised and immediately send themselves on some appropriate training.
The Shepwayvox Team