A leak at data.gov.uk underscores the problems with relying on passwords as the primary form of authentication.
A leak at data.gov.uk underscores the problems with relying on passwords as the primary form of authentication.

The U.K. government digital service (GDS) site, data.gov.uk, directed users to change their passwords after finding a database of usernames and email addresses exposed on a publicly accessible system, the BBC reported Thursday.

The BBC cited a GDS spokeswoman who claimed that other government websites had not been affected in the breach, which exposed usernames, email addresses and hashed passwords, and which has been reported to the country's information commissioner.

“Passwords continue to be an Achilles heel in the fight against cybercrime as improper user behavior – such as weak passwords or use of the same password across different sites – continues,” Spencer Young, RVP EMEA at Imperva, said in comments to SC Media.

Mike Ahmadi, global director of critical systems security at Synopsys, also assailed the reliance on passwords for authentication as “a huge problem. Many systems, for example, remain vulnerable to the Heartbleed bug, which makes harvesting passwords trivial. Those that can locate databases of hashed passwords can harvest the hashes and then take their time cracking the hash through multiple tools built for such purposes. Once a password is discovered, attacks can scale massively before anyone is aware of a breakdown in security."

Noting that the data.gov.uk incident is the “second ‘non-breach breach' of sensitive user PII data,” the first being an “unfortunate mishandling of trusted data in the Deep Root incident,” Ryan Wilk, vice president at NuData Security, stressed that “sophisticated hacking is not required to obtain troves of identity data that can be used to create fraudulent identities or access online personas.”

“We have hit a turning point where financial and identity cybercrime has become something that a person with the most basic computer skills can dabble in,” he said, so “merchants and FIs need to rethink how they protect and identify their users in the digital world.”

Safeguarding against such breaches is within the grasp of government, which could take a lesson from some enterprises in private industry. “What's disturbing, aside from the doubtless potential for high levels of confidentiality within emails emanating from the government, is that there are simple, effective methods such as two-factor authentication, and TLS Client Authentication which have been shown to be extremely secure, yet usability issues have hampered adoption,” said Young. The failure to put those methods in place is “an outcome of a continual lack of understanding and investment from government in security strategies that [British enterprise] adopt as standard operating procedures. This attack was unfortunately always a matter of time.”