Yesterday Silicon Republic ran a story about 6700 email addresses and passwords, some of which were from Government Departments and large Irish corporates, that were discovered posted in a "prominent hacker forum". The original article contained speculation about where this data could have been obtained from, with an implication of a potentially serious security breach somewhere in the information chain from browser to internet. The whiff of internet intrigue and black hat operations hung heavy in the air.
But reality is never as sexy as a Mission Impossible trailer. While the attack vectors that were hinted at in the original article were all possible, the actual root cause appears to have been much more mundane and much more common place. In an update to the story posted later in the day, Silicon Republic reported that:
The 6,700 leaked email addresses and passwords containing details of workers at organisations like HSE, AIB, and Enterprise Ireland, as well as many users’ Gmail and Hotmail addresses and passwords, came from a shopping website that went out of business but hadn’t been shut down properly.
The developers and the former website owners were not aware that the data had been compromised and had been posted on a hacker forum until they were told about it yesterday. A test server had been left running, with data on it and the site was still live, which they were also unaware of.
And this is where the confluence of Information Security, Data Protection, and Information Governance becomes significant.