Wednesday 20 September 2017

Ministers' passwords up for sale - Taoiseach and six cabinet members targeted

Philip Ryan

Philip Ryan

Taoiseach Enda Kenny and six other Cabinet members have had private email and password details compromised by international cyber criminals responsible for the world's biggest hacking scandals, the Sunday Independent can reveal.

The revelation raises serious questions about cyber security across Government and the level of information about senior ministers available online to criminals who target the internet's most popular websites.

It also comes at a time of heightened global tensions over internet security following accusations that Russia- backed hackers targeted the Democratic Party and Hillary Clinton ahead of the recent US presidential election.

And now a Sunday Independent investigation has found the details of Ireland's most senior politicians on an online database of victims of cyber attack, which had previously remained secret.

The database, which is used by Irish and international cyber security analysts, shows the Taoiseach and five of his Cabinet colleagues had personal information stolen by hackers who targeted business networking website LinkedIn.

The other Cabinet members include Foreign Affairs Minister Charlie Flanagan, Education Minister Richard Bruton, Communications Minister Denis Naughten, Transport Minister Shane Ross, and Chief Whip Regina Doherty.

The attack on LinkedIn was in 2012 but information of those targeted only emerged in August this year when criminals published email details of those exposed during the hack on the so-called 'dark web'. Oireachtas email addresses and accompanying passwords for LinkedIn profiles belonging to the ministers were uploaded by criminals seeking to sell the details of more than 164 million users of the website.

There is no suggestion that the minsters or Taoiseach's Oireachtas email accounts have been compromised; however, the addresses and LinkedIn passwords are available for sale. There is also no evidence to suggest criminals have so far used the information to gain access to the accounts used by the Cabinet members.

Health Minister Simon Harris's email and password details for file-sharing service Dropbox were compromised during an attack on the website in 2012, which resulted in 68 million users' details being traded online.

However, Dropbox forced users to change their passwords on the website in August. A source close to the minister said he was not concerned about the breach as he does not use the account for official business. Last week, it emerged Garda Commissioner Noirin O'Sullivan's Dropbox account was among those hacked in 2012.

Worryingly, none of the ministers or their advisers, who were contacted by the Sunday Independent, were aware that their details had been stolen by hackers and are currently available for sale on the internet.

The Taoiseach's spokesman insisted Enda Kenny has a secure email address for receiving confidential material which would not be available to the public or used for any purpose other than official business. "There is absolutely no evidence of the Taoiseach's private official account being compromised in any way," he said. The information on the ministers who were hacked was collated from the cyber security website 'haveibeenpwned.com'.

The website is a database of all email addresses uploaded to the dark web by hackers who have breached the security of popular websites.

The service was created by Microsoft regional director and security expert Troy Hunt. The database is regularly used by security analysts.

Hunt said the purpose of the database is to help people see if they have been targeted by hackers.

"We consistently see people from all walks of life exposed in data breaches. Politicians, military personnel, children; there's no discrimination," he told the Sunday Independent.

"Nor is there any discrimination on the types of websites we see these people exposed in and there are many government email addresses in the likes of Ashley Madison and Adult Friend Finder," he added. However, Hunt said his database does not allow users to publicly search for email addresses involved in "sensitive" security breaches such as that of Ashley Madison - a website that facilitates extramarital affairs.

Users seeking to establish if their details were hacked as a result of security breaches on porn or adult websites have to email Hunt's service directly. Irish security analyst Conor Flynn, who is the founder of Information Security Assurance Services, said he uses and advises clients to use Hunt's website.

"It is a good service with honourable intentions and it is a good place to check your details," Flynn said.

Flynn said email and passwords are not enough for criminals to commit identity theft. However, if they had access to other information which might be widely known about politicians, they could access other more secure websites such as email or online banking accounts.

"Having a user name and password is one thing but if you have a date of birth or a mother's maiden name, a billing address, then you are getting into information that could be used for resetting passwords on other accounts," he added. "If it is an email system, then one of the dangers is people, out of laziness and sloppiness, store other details in their email system, such as emails of bank account details."

Sunday Independent

Editor's Choice

Also in Irish News