NCSC joins data breach service in government programme
The National Cyber Security Centre (NCSC) has become part of the data breach service Have I Been Pwned’s (HIBP) government programme.
The NCSC describes itself as: "the lead organisation for responding to cyber threats that could have an impact on national security and wellbeing".
Have I Been Pwned will allow the NCSC to be notified by the service if any official New Zealand Government email addresses are subject to a breach.
The GCSB can subsequently notify the affected agency internally and provide advice.
Australia-based Troy Hunt, who is well-known in security circles and recognised by Microsoft, created HIBP back in 2013 as a response to increasingly serious data breaches at the time, such as the Sony Pictures breach.
HIBP allows individuals and organisations to type in an email address or password and find out if it has been compromised in a public data breach.
Although he does not specifically work for the software company, Hunt was made a Microsoft regional director and MVP as a result of the site’s success.
Hunt stepped down from his esteemed post as sole manager of HIBP in 2019 but continues in both his Microsoft roles.
HIBP also continues to be a valuable resource for those wanting to find out if they’ve had their security compromised.
The site has caught breached accounts from companies such as LinkedIn, MySpace, and Dubsmash.
“Continuing the march forward to provide governments with better access to their departments’ data exposed in breaches, I’m very pleased to welcome the 28th national government onto Have I Been Pwned - New Zealand!” Hunt says on his blog.
The announcement comes after the NCSC expanded its Malware Free Networks capabilities available to private-sector cybersecurity providers in December 2021.
Malware Free Networks (MFN) leverages the NCSC’s threat information, specifically indicators of compromise (IoC)s from sources including incident response and its international partnerships. There have been more than 40,000 indicators of compromise deployed to MFN so far.
Managed services providers offering MFN include Cassini, Cyber Research NZ, Datacom, DEFEND, InPhySec, Kordia, SSS IT Security Specialists, Spark, and Vodafone.
“We know that already MFN is preventing real harm. As the span of capability grows, and more partners include MFN in their services the, benefit for New Zealand organisations both public and private will increase exponentially,” GCSB director-general Andrew Hampton says.
As a condition of its government programme, HIBP will only share email addresses affected by a data breach with the NCSC. Affiliated information such as passwords may be made reference to, but this will not will be shared.
Furthermore, the alerts will give the NCSC relevant insights into appropriate government cyber hygiene.
The NCSC says “[this will support] more effective cyber security policy and resilience initiatives.”
HIBP offers membership to the government programme at no cost.