Over a million developers have joined DZone.

No, I Cannot Share Data Breaches With You

Oh, you want to see those data breaches do you? Well the answer's no. A firm no. Check out why.

· Integration Zone

Learn how API management supports better integration in Achieving Enterprise Agility with Microservices and API Management, brought to you in partnership with 3scale

If you’re reading this, it’s possible I directed you here with little more than a mere URL in my reply to you. It’s likely that you asked for data that has been breached from an online system. Perhaps it was your data you asked for, perhaps it was other people’s data you were seeking but regardless, the response is the same. No, I cannot.

In running Have I been pwned? (HIBP) I obviously come across a lot of data breaches with a lot of sensitive data. I understand that often people are worried about what data about themselves may have been exposed and they just want a copy of it. In fact, I understand it very well because I get bombardedby requests – more than I could possibly handle. The volume of requests aside, it’s frequently not a simple task to pull this data on a per individual basis, particularly given I lock it away out of easy reach (for obvious reasons).

Other times it’s people wanting to exchange breach data. This trading of sensitive, personal information is frequently done for malicious purposes. It will then be sold or commoditised in other ways which seek to exploit the misfortunate of those who find themselves in the breach. This is not ok and you should carefully question your motives if this is you.

I appreciate that at times it’s people who have only research purposes in mind; perhaps they’re doing password analysis or drawing other insights from aggregated data, certainly I’ve done that many times myself in the past. But the problem is that not only must I rely on the word of who is often a complete stranger, but if I was to redistribute the data then I would be complicit in its spread across the web.

I have always said no to these requests not only because I do not believe it’s in the best interests of the individuals who own the data, but because I put huge amounts of effort into ensuring I handle breaches as ethically as possible. Of course I myself am dependent on being able to obtain this data in the first place in order to be able to run HIBP and I’m conscious of the responsibility that entails. My focus remains on being able to continue doing what I’m doing and providing a service that helps victims of data breaches, not puts them at more risk.

Just in case it’s not entirely clear, let me provide some quick Q&As for you:

Q. I would like a copy of my data from a breach, can you please send it to me?

A. No, I cannot

Q. I have a breach I would like to give you in exchange for “your” breach, can you please send it to me?

A. No, I cannot

Q. I’m a security researcher who wants to do some analysis on the breach, can you please send it to me?

A. No, I cannot

Q. I’m making a searchable database of breaches; can you please send it to me?

A. No, I cannot

Q. I have another reason for wanting the data not already covered above, can you please send it to me?

A. No, I cannot

Unleash the power of your APIs with future-proof API management - Create your account and start your free trial today, brought to you in partnership with 3scale.

integration,ei,enterprise integration,big data,data breaches,security

Published at DZone with permission of Troy Hunt, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

The best of DZone straight to your inbox.

Please provide a valid email address.

Thanks for subscribing!

Awesome! Check your inbox to verify your email so you can start receiving the latest in tech news and resources.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}