91ÖÆƬ³§

00;00;00;06 - 00;00;22;14

Geoff Nielson

Hey everyone! I'm super excited to be sitting down with Troy Hunt. He's a renowned security expert with a reputation for getting beyond the complex and technical and distilling all the noise down to what really matters to protect ourselves. He runs the website have I Been poorly and was named a most Valuable Professional by Microsoft. If you don't know, what have I Been Found is a free resource that tells you if your data has been stolen based on your email address.

00;00;22;15 - 00;00;38;24

Geoff Nielson

What I want to know is what this age of AI, massive data breaches and shifting digital trust mean for online security. What's next and what we need to do to be ready for this new world? Let's find out.

00;00;38;27 - 00;00;55;17

Geoff Nielson

Hey, Troy. So happy to be with you here today. Maybe to jump right into things. You know what I really want to know is, you know, your perspective on the threat landscape online, 2025 2026. What does it look like now and how is it different from what we've seen in years past?

00;00;55;19 - 00;01;12;03

Troy Hunt

Yeah, one of the I was almost going to answer before, yes, it has a different although I was going to ask about how it's the same, because one of the things that we keep seeing a lot of lately is still social engineering attacks. And I think everyone's like, okay, we talk about AI and how's AI destroying everything, because that's the expectation.

00;01;12;06 - 00;01;31;26

Troy Hunt

But fascinatingly enough, a lot of the big attacks we're seeing now are still from kids. Either legally kids or, I guess, biased. And it's kids, you know, they're very young adults and they're still managing to socially engineer support this and big cloud providers and get access to that. So I think it's fascinating that that that bit stays the same.

00;01;31;26 - 00;01;37;28

Troy Hunt

And the thing that we're really expecting to come and revolutionize everything hasn't made a big dent yet.

00;01;38;01 - 00;01;56;05

Geoff Nielson

Well, and it's you know, that's really interesting because it's kind of, you know, what I'm taking from that is it's still so easy and we're so bad at protecting ourselves at a fundamental level. Like, is it fair to say we don't even need to think about worrying about these super advanced tools as individuals, because we're still falling for the same basic traps?

00;01;56;07 - 00;02;19;04

Troy Hunt

I think I thought it was just a recognition of these are really complex systems. I mean, as an example, think about how many times you go through and you even try to do something like my telco, I have been trying to update the credit card of my telco for weeks. I cannot figure out how to do it, you know, and I think a lot about user interfaces and systems and things or trying to set up Passkeys for service.

00;02;19;04 - 00;02;36;14

Troy Hunt

So many of these things are so complex, with so many moving parts, and we as the individuals and as defenders need to get it right every single time. And the bad guys are just going to get it right once, you know, they find that one flaw, and particularly once they can develop a technique that they can just apply over and over and over again, they run rampage.

00;02;36;14 - 00;02;50;15

Troy Hunt

And this is where we're seeing names like Scattered Spotters, the one that's popular at the moment. And we have seen the rest of this. And again, they're in the kids who are very young adults, and they just find this pattern, particularly in a certain industry sector, and they just rip through it.

00;02;50;18 - 00;02;53;15

Geoff Nielson

So. So tell me a bit about Scattered Spider.

00;02;53;18 - 00;03;07;25

Troy Hunt

Well, I think it's a in a way it's a little bit like you remember back in the day it was anonymous, right. So probably 15 years ago it was anonymous and everyone was anonymous. And we are legion and we never forgive and forget and all the rest of it. So it seems to be a little bit of a collective term.

00;03;07;25 - 00;03;39;25

Troy Hunt

There are inevitably people who are more the ringleaders of of this group, but what they seem to have become very good at is finding, I guess, repeatable flaws in things like, you know, we see alerts from the likes of the FBI or Australian Federal Police, which will be on the lookout for social engineering attacks, social engineering attacks from this group or members of this group that target things like, support systems, you know, and that's not necessarily funding a technical vulnerability or some novel, you know, advanced hack.

00;03;39;25 - 00;03;46;19

Troy Hunt

It is simply finding vulnerabilities in the process. And the humans behind the process.

00;03;46;22 - 00;04;03;28

Geoff Nielson

So, so groups like this and, you know, the kids you're speaking about, are they more going after, you know, organizations and, you know, kind of professional business systems, or do we need to be worried about them as individuals as well, compromising, you know, kind of our bank information or any of our personal accounts.

00;04;04;01 - 00;04;19;21

Troy Hunt

It's a good question. And I think part of it speaks to motivation. So, you know, what are they out there for? And traditionally we've said, look, there, there are the hacktivists who are out there just because they know they there's a cause or they pretend there's a cause, but they want the notoriety and the, I guess, the satisfaction.

00;04;19;24 - 00;04;41;24

Troy Hunt

They're the career criminals, those who are after the money and they're looking for something that has a return on investment. And then there's the nation states, which is a self-explanatory whole other area. And I think when we look at this criminal element and we say, where is the value, ransomware, we still obviously say a lot of, compromises of large organizations that then lead to ransom, albeit not the traditional.

00;04;41;24 - 00;05;01;23

Troy Hunt

We've encrypted your files. Give us money, we'll give you the key back. It's it's more the threat of disclosure. I mean, these cases. But of course, there's still targets against individuals. We know even here in Australia where we've only got less than 30 million people, we're doing about $3 billion a year with of ransomware, or rather, financial fraud against individuals.

00;05;01;25 - 00;05;15;05

Troy Hunt

So I think ultimately everyone's a target. And if you look at it as a business, you know, if you're a young, budding enterprising cybercriminal, where is the highest and best use of your time to get the best return on your effort as well?

00;05;15;05 - 00;05;35;02

Geoff Nielson

So let's let's maybe start by answering that question so that we can understand that that landscape, you know, best. So if you're and you know, I'm still fascinated that the first, you know, group you came up with was the kids. Right. It wasn't the nation states, it wasn't these kind of bigger players. It's the fact that everyone down to kids, you know, can be potentially threat actors that we have to deal with.

00;05;35;02 - 00;05;54;03

Geoff Nielson

So if you are, you know, I call it a bedroom threat actor or like, this long tail of, you know, just just kind of your, you know, garden variety cyber criminal here. Where is your best bet that you would, you know, want to go after in terms of, you know, making some money off of this.

00;05;54;06 - 00;06;13;25

Troy Hunt

And this is maybe a two part answer. I mean, one is, is where is the money? But also how accessible is money? I mean, the money is was with the banks. They are extraordinarily well resourced and well secured. And you effectively have to pretty much fit into that nation state, North Korea kind of category before you manage to get serious money from banks.

00;06;13;28 - 00;06;40;10

Troy Hunt

Crypto wallets are definitely a big thing. I see huge volumes of attacks against crypto wallets. I'm the recipient myself. JSO only very recently I just kept getting spam after spam after spam, looking to get into a crypto wallet from a particular provider, of which I don't have a service at all. But hey man, it's like email's cheap to send, so I'm just getting the shotgun approach and yeah, evidently they will get some tiny fraction of 1% of people to hand over their crypto.

00;06;40;13 - 00;07;02;24

Troy Hunt

Okay. And, you know, and then the rest is history. The extortion to organizations, of course, that they look at big organizations and go, well, if you're a multi-million, multi-billion dollar company, you've got a lot of money. Asking for a million bucks might not be a lot of money to them. And I'm sure that there are many, many incidents that never hit the news that do actually pay out as well.

00;07;02;26 - 00;07;27;16

Geoff Nielson

Yeah. And that's my sense as well, having worked with a number of organizations who, you know, find themselves vulnerable to ransomware is my it feels like it's a lot more prevalent than you might think, just based on the fact that people don't necessarily want to announce it. And you know, what we've seen and what some of our own experts in house are saying is, you know, often, you know, you're better off just paying the ransom and moving on, even if that's not what you want to announce you're doing.

00;07;27;16 - 00;07;39;14

Geoff Nielson

Because the harm that these organizations can cause is, is, you know, pretty, pretty severe is that do you do you work with organizations who have been hit by ransomware, and what advice do you typically give them?

00;07;39;16 - 00;07;59;05

Troy Hunt

Well, I mean, I don't provide service to the in that area. I mean, normally I work for organizations that have had data breaches. I think that the the rationale of paying the ransom, it's a tricky one because there's a, there's a business continuity argument to be made. If I pay the ransom, will I get my business back online and will I stop bleeding money?

00;07;59;08 - 00;08;15;17

Troy Hunt

And I think that was an argument that could be made a lot more in the early days where ransomware was lost for availability, data would be encrypted, pay for the key. You usually got the key because, hey, it'd be bad business, you know, not to give the key. We need to make sure people know you pay, you get your files back.

00;08;15;20 - 00;08;34;23

Troy Hunt

Now that that is pivoted to disclosure as well and the leaking of files on ransomware. So I think that's a harder argument to make because you never got any guarantee. Then, of course, you know then. So I would pay the money. And if data is encrypted, we'll give you the key, and will delete the data from a site, you know.

00;08;34;23 - 00;08;54;22

Troy Hunt

So, yeah. Trust the cybercriminal to delete the data. So I think that's that's problematic. We just passed legislation Australia, which which mandates the disclosure of organizational ransomware payments. So at least we can start to quantify the problem because, yeah, to your point earlier, if we there's probably a lot that goes unreported, we know there's a lot that goes unreported.

00;08;54;22 - 00;09;01;04

Troy Hunt

So if we can't quantify the problem, it's very hard to work out proper measures and controls for it.

00;09;01;06 - 00;09;15;16

Geoff Nielson

Right. So so on the on the data breach side, I thought I read somewhere in keeping you honest, Troy, I thought I read somewhere that after the Ashley Madison data breach that you were kind of called in for, you know, some advice on how to deal with that. Did is that true? Did I make that up?

00;09;15;21 - 00;09;40;02

Troy Hunt

Not not certainly not to avoid life media. I think they they probably paid huge amounts of money for lots of advice and none of it to me, fortunately. But look what it did. Is it, it really highlighted the risk to many organizations. I mean, if you think about, let's say, non-technical non security pros that are sitting on boards, C-suite executives, everybody saw the news about Ashley Madison.

00;09;40;02 - 00;09;58;16

Troy Hunt

This wasn't some sort of, you know, industry news thing. Everybody was saying on mainstream TV, on radios. And that was a discussion around all these boardroom tables. How do we make sure that we're not the next Ashley Madison? And certainly I did speak to many organizations that raised that question, because suddenly they getting not just pressure from their board, but interest.

00;09;58;16 - 00;10;13;13

Troy Hunt

It's very hard to get money for cyber security, particularly from the likes of board members who may not understand it. But when they see that headline and they're like, how do we not be the next, I would life media and have our 30 plus million records over the internet. Yeah, that got traction.

00;10;13;15 - 00;10;26;00

Geoff Nielson

So so, you know, data breaches. You've talked about how they've evolved over the years. And you know that the approaches that criminals have taken and their trustworthiness, it has changed.

00;10;26;03 - 00;10;43;02

Geoff Nielson

How should companies be thinking about them right now? You know, you certainly hear about this notion that you can't necessarily protect yourselves from a data breach forever. You know, first of all, do you buy that? You should we be thinking more about response or more about, you know, protection or both?

00;10;43;04 - 00;11;06;20

Troy Hunt

I think we've got to recognize that there is no absolutes. You know, you're never going to be protected and that's it. And you're fine. You know, what you're doing is you're mitigating against certain risks, and you're mitigating at the likelihood of it happening. You're mitigating against the impact of that happening. And, you know, a good example of that is in investing, in penetration tests to make sure there's no obvious flaws is a great one for likelihood.

00;11;06;22 - 00;11;28;13

Troy Hunt

A great one for impact is simply not retaining data you don't need. You know, we've had so many data breaches, both here in Australia and around the world, where there's been huge volumes of data that, from customers that haven't been there for decades. My parents came around recently, and they gave me a letter that was put in their mailbox from an organization that had a data breach, and it was addressed to me.

00;11;28;13 - 00;11;47;13

Troy Hunt

Now, I haven't lived there since the 90s. It was a financial services company called latitude, was a big news story here in Australia. And for some reason I kind of remember it was maybe I had a car loan when I was like 20 years old or something, that they still had my data. So as it relates to things like impact, how do we reduce the amount of data we have in the first place?

00;11;47;16 - 00;12;05;13

Troy Hunt

And going back to the point about convincing board members and getting money that the problem that people in these security positions have is they need to go and ask for money and say, look, if you give me this money and we do a really good job, nothing will happen. You know what, though, I think, how much money do we make?

00;12;05;15 - 00;12;12;13

Troy Hunt

Well, none. But hopefully you won't lose money. So it's a very difficult position to make.

00;12;12;16 - 00;12;32;00

Geoff Nielson

So. So how do you how do you make that position? Because I, I agree with you. Like the having that conversation with the board is, you know, a lot of this all comes down to money and getting the mandate to do that, you know, how do you typically work with organizations to convince boards that this is worth it, even if that means that you know nothing happens is the best case scenario?

00;12;32;03 - 00;12;49;20

Troy Hunt

Yeah. Well, you know, very often, I guess the bit that I get involved in, I don't really do any consulting anymore, but I do a lot of public speaking. And then people say, look, we want to get you to come along. Took a dollar, which is scary. Everyone just a little bit, you know, I like tell some good stories that make people go, I don't want to be the next whatever organization.

00;12;49;22 - 00;13;09;03

Troy Hunt

And unfortunately, what tends to happen is we seem to wait for some major incident. Ashley Madison was one of them. In Australia, we had our second largest telco and our largest health insurer. Both have major data rates at the end of 2022. And suddenly everyone was interested and the government passed legislation about various things, and organizations went out and spent more money.

00;13;09;03 - 00;13;26;19

Troy Hunt

I got invited to a bunch of talks to companies that I wouldn't have done otherwise, and that seems to be the catalyst. And, when you think back to Ashley Madison in 2015, and one of the things that happened after that were people was saying, well, are we now going to take it seriously? Like, is this the watershed moment?

00;13;26;21 - 00;13;34;23

Troy Hunt

Are we going to get on top of this? You know, we can't let this happen again. And then, you know, a decade plus on here we are. And it happens every day. Yeah.

00;13;34;26 - 00;14;00;21

Geoff Nielson

Well, and that's, you know, that's it's really interesting. Because that, I mean, that in our culture was such in some ways a watershed moment in terms of the impact that it had on people. Right? You know, there were suicides that came from it. And it's people's, you know, most sensitive and, you know, naughtiest information. And, you know, so it's interesting to me because like, if that's not going to convince people, you know, what, what is.

00;14;00;23 - 00;14;21;28

Geoff Nielson

And one of the, one of the things I've found as just, you know, an individual is that, that I almost am saturated by these stories of data breaches in the news, like there's so many of that. I'm like, oh, yeah, another one. I'm, you know, maybe I'm impacted, maybe I'm not. And I like a, a sense of almost resignation that comes from helplessness.

00;14;22;00 - 00;14;29;10

Geoff Nielson

Is that something you're hearing about? And, you know, what do we do about that as individuals and as organizations?

00;14;29;12 - 00;14;48;04

Troy Hunt

Well, there's definitely a degree of apathy. And I almost wonder if it's a little bit like if you go on the news and you see there's been some horrible car crash somewhere and you're like, I'm going to drive safe now, you know, and then that solves the problem. I think it's a combination of of apathy. It won't happen to me.

00;14;48;06 - 00;15;11;21

Troy Hunt

The probably the look, if it's a car crash, we can all imagine what it would be like and the ramifications of that. If it's something like a data breach. I think a lot of people have trouble thinking through what that might actually mean, not just to your own life online life, but to your IRL life. You know, that might mean someone has enough information going and opening bank accounts that might impact your credit, that might impact your ability to buy a house in the future.

00;15;11;21 - 00;15;31;19

Troy Hunt

You know, like real world impacts. And I don't think people necessarily think through that. And it's still something it happens a lot, but to a tiny fraction of people as well. So there's folks sitting there going, well, you know, I'll be fine. Let me just download this free wallpaper tool. You know, I'm here and install that on my PC.

00;15;31;22 - 00;15;48;25

Geoff Nielson

Yeah. So when you're, when you're telling these stories, you know, on, on sort of your speaking tours to create that, you know, that little bit of fear, whether it's in individuals or organizations, what are the stories you're finding that are actually resonating with people and making them say, oh, okay, maybe we should be taking this a little more seriously.

00;15;48;28 - 00;16;08;28

Troy Hunt

It's a combination of things. Look, certainly the ones that people have seen in the news, seeing the impact, I like to tell stories that that sort of show look, that this is this is the sorts of data that came out and the consequences thereafter. I like also finding lots of, and this pivots the discussion slightly, but lots of amusing examples.

00;16;08;28 - 00;16;26;07

Troy Hunt

There are some very funny data breaches out there, and I realize that sounds bad as I say it, but there's some very funny services and some funny stories behind that. If I can get people sort of leaning forward and engaged and going, well, this is a really interesting story. You know, I think that hits home as well.

00;16;26;09 - 00;16;35;13

Geoff Nielson

So what's what's an example of, you know, a funny data breach or one that, you know, engages people and that they might not otherwise have processed?

00;16;35;15 - 00;17;01;27

Troy Hunt

Yeah. I think the one that comes up the most that people sort of shake their head at and, and you'll have to figure out whether you need to bleep any of this or not, but there is an online service called Shit Express, and this is a real website. And you can go there and and to put it in the more perhaps the more appropriate term, you can order a box of theses online to be delivered to a recipient.

00;17;01;29 - 00;17;22;20

Troy Hunt

Now, you want to do that anonymously for obvious reasons for sure. So I talk about all this anonymity on the side. Now, this is I had seen this in the news before. It's actually a website. It's still up there. Anonymity, obvious reasons. But then I have a database. And when they have a data breach, all of the information inside this service gets leaked.

00;17;22;23 - 00;17;50;23

Troy Hunt

And as I do the talk on this case, isn't it funny? There's all this anonymity. Say the bit we have to pay by credit card and stripe and label your personal details, like how anonymous do you think this is anyway? So it gets leaked and there's a little snippet I use in there where one person has gone, as I refer to in the talk I shitposting rampage, but they've gone through and sent multiple boxes to a bunch of these names, and there's about 6 or 7 different names on there.

00;17;50;25 - 00;18;10;23

Troy Hunt

And they're very upset about things to do with legislation in America. And, I as an Australian who watches the news, didn't recognize the names, except for one. And this is the names of the recipients. Incidentally, the IP address of the sender is on every single record. And the one name I recognized was Brett Kavanaugh because he'd been in the news.

00;18;10;26 - 00;18;24;00

Troy Hunt

And then I started googling the other one, and, they're all high court judges. Someone has gone and sent boxes of theses, the High Court judges, with the expectation of anonymity. There's been a data breach. Now, here it all is, right?

00;18;24;02 - 00;18;29;05

Geoff Nielson

Right. So suddenly. No, we know who's sending this shit to the to the Supreme Court.

00;18;29;05 - 00;18;32;09

Troy Hunt

And this to the list of things I didn't expect to learn, did I?

00;18;32;11 - 00;18;55;04

Geoff Nielson

Yeah. No, that was that was not on my bingo card, Troy. So, so so thank you for that. When we think about how people traditionally respond to these, data breaches, when we think about how they traditionally think of them, is there any information out there that to you, is either misinformation or unhelpful to traditional thinking that people talk about?

00;18;55;06 - 00;18;59;19

Geoff Nielson

But, you know, you kind of say, you know, time out. That's that's not the way I would approach this.

00;18;59;22 - 00;19;24;24

Troy Hunt

I think what I'd suggest is we need a bit of a reframing about what classes of data represent risk versus what class is done and risks to whom. Now, a good example of this is I see so many data breaches where there'll be a disclosure from the organization and they'll go, they always start by saying, at such and such a company, we take your security seriously, and I'm like, oh, this isn't going to be good.

00;19;24;29 - 00;19;41;26

Troy Hunt

You know, it's innocent either. Why is it going to be bad? And let's say, you know, we've had a cyber incident by a malicious threat actor at a third party. So it's just like watering the whole thing down. And then they'll say, your email address, your name, your password, your home address, your phone number have all been exposed.

00;19;41;26 - 00;20;04;21

Troy Hunt

The good news your credit card is fine. I don't like, well, hang on a second. I have had my credit card defrauded many times, and I'm like, I'm. I'm careful, but I'm also human, and I'm online and I go to restaurants in strange places sometimes. In my experience, every time the credit card has been defrauded, American Express, for example, picks it up pretty quickly.

00;20;04;21 - 00;20;22;15

Troy Hunt

I get a call. They like, look, we found these transactions where they, you know, that weren't me. Okay, we'll cancel them. We're going to cancel the card. I get a new one in the mail a few days later. I'm fine. Now, on the other hand, someone's password gets exposed. That is their password. Singular. That's the one they use everywhere.

00;20;22;17 - 00;20;41;19

Troy Hunt

So this organization has just said, look, that the thing that actually really has no tangible impact on you debit card is different story. But for the most part, credit cards, you know, that's okay. But the thing that is now the key to all of your other digital online lives has been leaked. Good luck, you know, go for it.

00;20;41;24 - 00;20;46;05

Troy Hunt

I think reframing the impact of that, like, that's important.

00;20;46;08 - 00;21;03;01

Geoff Nielson

So what's what's your best advice around password hygiene then? Because you hear all sorts of conflicting things about, you know, make it incredibly long or use special characters or, you know, that there's refresh rates, there's a number of different, you know, pieces of advice. What what do you typically tell people around password hygiene?

00;21;03;03 - 00;21;22;20

Troy Hunt

Well, I think first of all, you know, maybe to add some positivity to the whole thing, the the bar is set very low in terms of where do I need to get to to be more secure than 90% of other people out there? And that bar is having strong and unique passwords, and preferably a second factor authentication as well.

00;21;22;22 - 00;21;42;10

Troy Hunt

Not foolproof, but it's a really good start now that the strong and unique but unique is an easy one. Don't make it the same as any of the others. And part of the reason for this is that there are so many credential stuffing lists out there. Reserves have been compromised. Someone goes and gets all the email addresses and passwords, and they add them to all the other ones from all the other services.

00;21;42;12 - 00;22;02;10

Troy Hunt

And now suddenly they've got a list where at times we're talking about billions of credential pairs, you know, billions of instances of email address, password. And then I just go and try them on vulnerable services. Now that's exploiting password reuse. If you have an extra one on the number of your password, your immune from that particular type of type, that is not a good password.

00;22;02;10 - 00;22;23;27

Troy Hunt

But you get my point. The strength is the challenge because we all have so many different online accounts these days. You have 100 plus. Either that or you're very, very young. You know, like if you've been online during Covid buying stuff, you will have 100 different accounts. Some are other. You can't remember those. You simply cannot in your brain.

00;22;23;27 - 00;22;41;15

Troy Hunt

Remember every one of those. So one of the things we're really going to get past is this idea that a password is something that you remember and you type in, which leads us to password managers. And I've been a massive advocate of password managers for a very, very long time now because they're the only way you can get strength and uniqueness.

00;22;41;18 - 00;22;59;29

Troy Hunt

And then the discussion changes from, how do I make those 100 different accounts secure to how do I make my password manager secure? And for a tool that's a dedicated security tool meant to do that one thing and do it very, very well, that's a much easier challenge in securing all the other things.

00;23;00;04 - 00;23;19;29

Geoff Nielson

Does that you know, I've heard that advice too. And, you know, full disclosure, and I hope I'm not tipping off any would be hackers here. I don't I don't typically use a password manager. And my concern is it feels like it's just the classic problem of now I have one point of vulnerability because, you know, everything is in the bank's singular vault now.

00;23;20;03 - 00;23;26;01

Geoff Nielson

And if you can get the password to the password manager, suddenly you know, everything's exposed. Does that does that hold any water to you or. No?

00;23;26;06 - 00;23;45;08

Troy Hunt

Oh, yeah. Of course. And this is often the question they like. Well what happens a song gets into a password manager. So it's it's easy. You're screwed, you know, because everything is in there. And keep in mind as well, a lot of password managers are not just password managers. I use, one password. The the service called one password, and I have my bank account details in there.

00;23;45;10 - 00;24;07;28

Troy Hunt

I have all the frequent flier details. My license, my passport. The family shares stuff backwards and forwards. So the impact of full compromise is really, really high. The question then is what is the likelihood of that happening? And most importantly, how does that then compare to the likelihood of compromise? If you don't have the password? For most people not having a password manager, they're going to reuse that same password everywhere.

00;24;07;29 - 00;24;29;11

Troy Hunt

Very, very high likelihood of compromise, not just because there's a breach somewhere and it gets reused somewhere else. But you might fall for a phishing attack, for example, you might enter it into a website that's got a keylogger. And I was saying, let's magecart style attacks with cards entered into a website or scraped because I've got an external dependencies, got JavaScript, listening to everything it's put on the page.

00;24;29;13 - 00;24;54;08

Troy Hunt

So once you have a password manager and you lock it down with everything from in the in the one password example, there is a secret key that I have no idea what it is. It's printed. It's in a safe somewhere. There is multifactor authentication. You must be signed in on another device that can give you this device access and so on and so forth, and and so long as I don't lose the things that I need to get back into my password manager, I'm fine.

00;24;54;10 - 00;25;00;19

Troy Hunt

So I think that likelihood is a really, really important part of the discussion.

00;25;00;21 - 00;25;22;12

Geoff Nielson

Yeah, that that makes sense to me. And if it's, you know, an order of magnitude more secure than the individual passwords, then yeah, that that changes the equation. What's your what's your perspective on non password access management. Like things like you know biometrics in some capacity or any kind of alternative access. There.

00;25;22;14 - 00;25;42;05

Troy Hunt

Well I think you look at it as an augmentation of passwords. I mean I've got a modern iPhone, so I've got face all day. And most of the time when I authenticate to my phone, I log on with my face and then people go that, that's great. So now you don't have a password. So now you do, because some of the sunglasses I have that work, you know.

00;25;42;07 - 00;25;55;12

Troy Hunt

Well although they're going to take the sun app. But then I can literally now when I go and buy sunglasses in Australia, I go through the shop and I'm like, okay, do they look good? Can I unlock my phone while I'm wearing them? But yeah, obviously there are parts of the world where you might have a scarf on because it's cold.

00;25;55;12 - 00;26;12;26

Troy Hunt

And also what happens when you forcibly reboot your phone. What happens if the biometrics fail ten times in a row? Every minute is for the lockout. Well, then you need the pin, so you fall back to the pin. The biometrics has got the great advantage of being something that you can use to authenticate in front of people, and it can't be copied.

00;26;12;29 - 00;26;31;10

Troy Hunt

Yeah. No one is practically copying my face and logging into my iPhone. I can do that in front of people. I enter the pin, someone observes the pin and now they can enter it. So I think the thing to think about is these two things augment each other and they complement, each other. And that, to me is a major part of the whole infosec discussion.

00;26;31;10 - 00;26;39;26

Troy Hunt

How do we find the right tool for the right circumstance and recognize that there is no one thing that just solves all the problems.

00;26;39;28 - 00;26;51;06

Geoff Nielson

So let's let's continue down that thread for a minute. How what does that exercise typically look like? You know, for an organization or, you know, a leader trying to go down that road?

00;26;51;08 - 00;27;09;01

Troy Hunt

I think the classic term would be some form of threat modeling going through and looking at like, what are our risks? What are the likelihood, what the impact from that happen? There are some very boring protocols that you can follow to figure this stuff out. But in simple terms, most of it comes down to, what is the impact of someone gaining access to our things?

00;27;09;01 - 00;27;17;02

Troy Hunt

What is the likelihood of it happening? What are our mitigating controls to reduce either the likelihood or the impact? If that happens afterwards?

00;27;17;04 - 00;27;38;21

Geoff Nielson

So, as I think about that, there's there's a couple of angles to this, because we were talking earlier about the impact of the board and getting money for all of this. What do you think about the barriers to why more people aren't doing this now? Troy? Is it is it a financial barrier primarily, or is it literally just an effort barrier?

00;27;38;21 - 00;27;55;09

Geoff Nielson

And there's something, you know, I use the expression for some of this stuff. It's just like, eat your vegetables, work like it's just, it's not very exciting. You got to make time for it. Everybody's busy, you know? Do you need millions of dollars to do a lot of these kind of protective activities, or is it just literally work?

00;27;55;12 - 00;27;58;22

Geoff Nielson

Cyber security professionals acknowledging that it's important and carving out time?

00;27;58;29 - 00;28;20;20

Troy Hunt

I think it's sort of interesting whether we're talking about individuals or corporates to to look at, look at how much stuff there is that you're not doing. That is totally free, you know, how long did it take a lot of people to even put a pin on their phone, you know, like it it was a struggle. And I remember a lot of initiatives by the likes of Apple to try and push people down there, just having a Pin on their phone.

00;28;20;22 - 00;28;39;11

Troy Hunt

Or now that discussion is, how do we make sure that there's actually a second factor on things like an iCloud account so other people kind of get in? These are free. If you've already invested in the device, you already have that for organizations. There's a lot of cool free security controls out there. There are things like content security policies for websites.

00;28;39;11 - 00;28;58;25

Troy Hunt

These are built into browsers. They get defenses for. If someone manages to inject JavaScript, for example, in your website for the sorts of attacks we discussed before, you know, external dependency gets compromised. Keylogger and so on. We have free tools for things like checking known bad passwords. You know, one of the biggest costs for organizations is account takeovers.

00;28;58;27 - 00;29;16;17

Troy Hunt

A lot of the time people are signing out with passwords from data breaches. We have a free service where you can go, hey, has this password been seen in a data breach before? Oh. So how many times has been saying, well, this person is using one that's got lots of uppercase and log cases and numbers and it's really long, but it's been seen 5000 times before.

00;29;16;19 - 00;29;22;09

Troy Hunt

Yeah. Maybe we'll block that and that's free. And then you start spending the money after that.

00;29;22;11 - 00;29;35;00

Geoff Nielson

Yeah. So so on that note you know tell me a little bit about have I been poned and you know how that tool works where it fits in the mix and how came about.

00;29;35;02 - 00;29;54;24

Troy Hunt

Yeah. Well, it's kind of well, that it's we're still here talking about it nearly 12 years on. So it started in December 2013, and I started at after finding myself in the Adobe data breach, the 150 million plus people there, my personal address was in there, my work email address was in there. And I thought, well, that's that's interesting.

00;29;54;24 - 00;30;10;29

Troy Hunt

That's there twice. It's also interesting because as far as I know, I didn't give Adobe my data, but I was a macromedia Dreamweaver user. So I gave Macromedia my data and then Adobe acquired them in the in that data flood. And and to this day, I get a lot of questions from people who are like, why is my data?

00;30;10;29 - 00;30;27;22

Troy Hunt

And, you know, you just sent me a notification. Have I been pain? Why am I in this data breach for a site I've never signed up to? Like? Well, that there's always a reason, right? Like the truth is. And that your email address is in there. And let's go through the options. And one of those is acquisition and your information flow in two different places.

00;30;27;25 - 00;30;47;27

Troy Hunt

So I thought that was interesting enough to build a service. And it was a hobby project. And many technical people listening to this have hobby projects that just scratch an itch. And most of mine go nowhere and file, and this one stuck and became very popular. And I think partly because it's it's simple, partly because it's freely accessible to everyone.

00;30;47;27 - 00;30;58;01

Troy Hunt

And and then when there were the likes of the Ashley Madison data breaches out there, and there was a service where people could go and say their impacts, it just got a lot of traction.

00;30;58;03 - 00;31;07;29

Geoff Nielson

It's it's yeah, it's super cool. How does it how does it work? I mean, without giving me the like, exact lines of code, just kind of abstractly, how does it work?

00;31;08;03 - 00;31;28;17

Troy Hunt

Looking in very simple terms, a data breach comes in and a data breach is normally just a text file. There might be few textiles could be says there about SQL. File is usually a human readable text file. There are however, many millions of lines of, of of data records in there. We have an open source tool that just goes through and regexes out all the email addresses.

00;31;28;17 - 00;31;51;17

Troy Hunt

So it'll be like, okay, this five gigabyte file, there are 2 million email addresses in there, puts them in a file, and then we upload those email addresses into the service. So the only thing that we actually put in the online service is the email addresses. And if we have plaintext passwords we have a separate disassociated corpus. That's just passwords that organizations can use to try and help people, not use bad ones.

00;31;51;19 - 00;32;12;29

Troy Hunt

So the email address is go up there. We've got about 5.6 million individual subscribers to the free service, where if we find any of them in the data, right, we fire them up an email. We've got hundreds of thousands of organizations that monitor their domains. They get sent an email if they're in one of these new breaches. And then there's the front page of the website where you just put your email address in, goes to the database.

00;32;12;29 - 00;32;28;18

Troy Hunt

The database is like, okay, in my case, for example, I'm in more than 30 data breaches. And have I been punched? Here's what they all are. And it's like Dropbox and LinkedIn, not actually Madison, and a few others like that. And I that's all it does. It just comes back and it's like he's we've been exposed.

00;32;28;18 - 00;32;30;22

Troy Hunt

It's really very simple.

00;32;30;24 - 00;32;52;05

Geoff Nielson

So it's. Yeah. And it's what's interesting to me is you mentioned it's such a simple tool and we're still talking about it, you know, 12, 13 years later. What's what's the future of data breaches like as you look at the tools available, as you look at people, is this going away? Is it getting better? Is it getting worse.

00;32;52;05 - 00;33;02;08

Geoff Nielson

You know it's hard. It's hard for me to believe this is going to, you know, disappear. But are we still going to be talking about this and using tools like this, another 12 or 13 years from now?

00;33;02;10 - 00;33;38;15

Troy Hunt

I can't see any reason why we want, you know, if you look at the factors that lead to data breaches and, and contribute to the impact of them, we have more online systems than ever before. We've got more people who are online than ever before. We've got more ease of access to online services. You know, I think as much as I love cloud services and now the ability for iOS to create apps as well, it does mean that a whole bunch of people who wouldn't have used these things before and perhaps shouldn't now have access to them, and many of the data breaches we see, from people just simply not understanding how to

00;33;38;15 - 00;34;00;06

Troy Hunt

use these cloud services. Lack of authentication on databases is a massive one. Is crazy how frequently that happens, so I don't see any of that changing. And then we expect all of this interoperability between services and then lots of things that we might have built in-house before and kept as part of, of our our own code base and now delegated out to external services.

00;34;00;11 - 00;34;22;06

Troy Hunt

That to be fair, like I love this idea because now I can I do my payments on stripe. I don't have to build that. That's fantastic. But then very often these external services are misconfigured or the API key for it is leaked. And we see so many data breaches where the organizations like we had a data breach at an external service, and then maybe it was because the external service got social engineered.

00;34;22;08 - 00;34;40;21

Troy Hunt

And I guess your attack surface, for want of a better term for each one of these multiplying applications, is just so much larger than what it was before. So I can't see any reason why. If we do this in 12 or 13 years from now, we're not saying, hey, you know, now there's 2000 data breaches and have been patched.

00;34;40;23 - 00;35;00;25

Geoff Nielson

Yeah. And that's and that's exactly my concern is it feels like it's getting worse. As you said, the attack surface is getting bigger. We've been hearing a lot about the, you know, basically the vendor risk or the third party risk of, you know, when you're trying to conduct these, you know, threat assessment exercises, what's going on within your organization is suddenly a smaller piece of the puzzle.

00;35;00;28 - 00;35;17;25

Geoff Nielson

What do we you know, what do we as security leaders do about that other than, you know, flag, it's do you give advice at all in terms of any of the partners we should be using? What we should be asking those partners, is there a way to protect ourselves there, or is it more just sort of accepting the risk?

00;35;17;27 - 00;35;36;06

Troy Hunt

Well, again, it's always sorts of degrees. And if we tie it back to to the early examples, which for the most part I don't lie, but something that helps contextualize, you know, if you're securing the physical security of, of your house, how do you make it secure? All right. Well, you know, even just saying that term, that sounds like an absolute.

00;35;36;06 - 00;35;53;21

Troy Hunt

So, you know, how do I get to the point of safe, secure. Well, you still got windows. Yep. I got a brick. All right. So, they will do. We put bars on the windows. Like, how far do we go? And inevitably the discussion becomes one, which is what is a reasonable, commensurate level based on the risk and the likelihood and then the impact of someone gets in.

00;35;53;24 - 00;36;14;08

Troy Hunt

And I think having that pragmatic discussion is very important where it's very hard. And the bits, especially sympathetic to as is as mentioned before about the attack surface is now so big. So when you're looking at the security, particularly of your organization, you know, even one app is hard enough. But look at an organizational risk. How many different applications do we have?

00;36;14;08 - 00;36;39;12

Troy Hunt

What are the external services that they use? Whatever risks there? How do we even do things like keep our dependencies up to date? You know, we continually find vulnerabilities in external libraries. You know, how are we managing those across the ecosystem of our applications? And that is an extraordinarily hard problem. And there are lots of infosec companies out there now making a lot of money, just helping people understand even the inventory of services that they have.

00;36;39;14 - 00;36;44;00

Troy Hunt

Yeah, the asset discovery is a big thing.

00;36;44;02 - 00;36;53;13

Geoff Nielson

Yeah. It and and one that it feels like is getting more complex and more complex. Right. As you add services faster, then you're taking them away, right?

00;36;53;16 - 00;37;13;24

Troy Hunt

Yeah. And to be fair, like people are doing it for good reasons because they're finding more cost effective ways of doing this. They're finding better services that some company that just specialize in that thing has done, rather than their internal development team. Like there are loads and loads of good reasons, and we would not have the web and all the richness that we have today if it wasn't for that.

00;37;13;26 - 00;37;34;25

Geoff Nielson

Right. And, and, you know, one of the, one of the paradigms I'm hearing more about in this space is this notion of zero trust, which is basically that, you know, operating these sort of corporate systems, assuming there's already been a breach, a, you know, a data breach that we're locking down individual components as much as possible. Are you hearing much about this?

00;37;34;25 - 00;37;38;01

Geoff Nielson

Are you are you sort of an advocate for this or do you have a different approach?

00;37;38;04 - 00;38;08;03

Troy Hunt

I think the principle is good. You know, nothing should trust anything else. Everything should, I guess, set its own security boundaries. I think the principle is good. It's certainly catchy. Would I say that up there? Along with blockchain and I remember a few years ago, everything. I was like, there's blockchain on everything. I think the actual implementation of it then becomes quite difficult as well, particularly when we are talking about ecosystems these days that have dependencies on so many external services and so many external libraries.

00;38;08;06 - 00;38;17;03

Troy Hunt

So what? Where is the boundary of that zero trust? You know, once you start pulling in external dependencies? And where does that trust stop.

00;38;17;05 - 00;38;27;02

Geoff Nielson

Yeah, that's it's a really good point. Yeah. I guess it's sort of it falls apart as soon as you have to draw the circle around. Everything connected to your organization.

00;38;27;04 - 00;38;37;24

Troy Hunt

And you know, that's that's not to say give up, but it just means that I don't think is something that, you know, achieve in some sort of absolute sense. And you're just going to have to prioritize where that makes sense to implement.

00;38;37;27 - 00;38;58;15

Geoff Nielson

Right. And so speaking of, you know, speaking of, you know, vendors and different tech players in the space, you know, I did I did want to ask you to understand a bit better. Try. I know that, you're in the Microsoft sphere and you've been named by them, you know, a most valuable professional. And, it sounds like you're not you're not working for Microsoft, but you're working with them in some capacity.

00;38;58;15 - 00;39;01;05

Geoff Nielson

What does what does that mean? And how did that kind of come about?

00;39;01;08 - 00;39;19;25

Troy Hunt

Yeah. So the the most valuable professional award I got in 2011 and I've had that has since that that's that's an award. The one that's really confusing is I'm also a Microsoft regional director, but I don't have a region and I don't direct anything. And that's, that's another recognition. They look the MVP is aligned to a technology stack.

00;39;19;25 - 00;39;41;22

Troy Hunt

They're a Microsoft Excel MVP is an Xbox and VP's. I got it for developers. Security. There are thousands of MVP's around the world. And the regional directors, there's a much smaller number. We're not aligned to an individual technology stack. We generally tend to have a, I guess, a broader overview and probably better access to the sorts of organizations Microsoft like to have good relationships with.

00;39;41;25 - 00;40;00;19

Troy Hunt

So I, I work a lot on the Microsoft tech stack. All of the underlying origin services have ever been powered is built on on Microsoft technologies and on Azure. I spend a lot of time with folks at Microsoft, and especially when I travel, we get along well. They give me some software. And that's about it.

00;40;00;21 - 00;40;13;18

Geoff Nielson

That's that that's great. And you know what role as you think of this whole ecosystem? I mean, what what role does Microsoft play versus, you know, some of the other bigger players in the space, I guess?

00;40;13;20 - 00;40;30;13

Troy Hunt

Well, I think it depends on where you look at it in terms of size. I mean, Microsoft has obviously got a massive footprint on the desktop. So so that's huge. They're not the biggest cloud provider, but the services in Azure a huge as well. I think like every other player at the moment, they're trying to figure out where AI fits into absolutely everything.

00;40;30;19 - 00;40;47;21

Troy Hunt

And because that that seems to be the strategy these days, that I think that they're just an enormously important, and complementary with the likes of Google, Apple, AWS, etc., part of the ecosystem. They're big. Everyone uses them in one way or another.

00;40;47;24 - 00;41;14;12

Geoff Nielson

Yeah, yeah. So so I want to come back to something that you've said a couple of times, which is AI, and the few times that you've brought it up, you've basically, you know, implied or said directly that it's actually overblown in the space and it's not the primary thing that people should be talking about or considering when they think about, you know, cybersecurity risk is that, am I misconstruing that or is that fair?

00;41;14;12 - 00;41;17;18

Geoff Nielson

And tell me a little bit about where that position is coming from.

00;41;17;20 - 00;41;36;15

Troy Hunt

I think it's it's fair. The, look, I'm, I sort of have a foot in age camp at the moment where one is. I'm so sick of seeing these hyperbolic headlines. And I'm so sick of saying, people. Guy, you can just. You don't need skills anymore. You just code your own app and it'll be fine. It annoys the hell out of me.

00;41;36;19 - 00;41;59;04

Troy Hunt

But then, on the other hand, I am so much enjoying using AI for discrete tasks such as, writing particular blocks of code. You know, like I want to go through and say, hey, give me all the customers in stripe who have outstanding invoices. I could figure that out before, but I can literally put that question in as fast as I just phrase it and bam, there's my code and it's amazing for that, I love it.

00;41;59;06 - 00;42;17;06

Troy Hunt

I'm starting to use AI in a lot of my home automation to do things like look at photos from cameras and tell me things like, you haven't put the rubbish bin out and it's a Monday night. You know, you need to do that. That's a hard problem without something that can interpret photos, or announce who is at the door or what the person at the door looks like.

00;42;17;09 - 00;42;41;05

Troy Hunt

And then little, little, little applications. But I think what's fascinating is it seems like everything we do is having AI creeping one way or another, and our challenge is to figure out where the places where it actually helps us do our jobs better. And where are the places where you're like, not that's in the hyperbole, overblown column, and that's a that's a challenging problem at the moment.

00;42;41;07 - 00;43;02;12

Geoff Nielson

Yeah. I I've, I've found that as well. Right. There's almost like you know I've been calling it AI washing. Right. Just slapping AI on everything and you know hoping hoping that somebody, you know, somewhere appreciates that or pays more for it. There's an angle we didn't talk about for AI that I'm curious on your perspective of which is implicitly in the conversation.

00;43;02;12 - 00;43;20;29

Geoff Nielson

There's, you know, sort of us as the, quote, good guys using AI. What about AI for bad actors? You know, you talked about AI code gen and it having, you know, some, some, you know, good limited applications. Do you see it as lowering the bar or the barrier to entry for bad actors or cyber criminals getting into the game?

00;43;21;05 - 00;43;25;08

Geoff Nielson

And is that something we need to be worried about or protecting ourselves against? Yeah.

00;43;25;11 - 00;43;51;20

Troy Hunt

Yes. To all those things. I think the way to think about it is, is very much like the encryption debate that we've had for many years, you know, both encryption and AI, morally neutral technologies. They have been democratized to the extent that everybody has access to them. So whether you're you're building a payment card system and you're protecting people's credit cards or whether you're collaborating with your terrorist network, you get encryption and everybody gets it equally, and everybody can figure out how to apply it.

00;43;51;22 - 00;44;11;13

Troy Hunt

And it is the same with AI. We will inevitably see more uses of it in offense. The, the ability even just to craft messages. I mean, how many times have you got a spam message and go that really needs AI? You know, you should get your spelling and grammar spot on, and it would be such a more convincing spam message.

00;44;11;16 - 00;44;37;04

Troy Hunt

Equally, the ability for AI to infer things like deviations from the norm. You know, we have the ability to say, well, hang on a second. My bank doesn't normally communicate that way. And that character, which is and this is probably not even I think, you know, that character. It should be, it should be an L it looks like it might be capital I or, but I think particularly about the higher level thinking these are normal behaviors as deviations from normal behaviors.

00;44;37;06 - 00;44;48;23

Troy Hunt

Or this has the hallmarks of just ways that go beyond what we could do is simple if then else style statements of of trying to identify the nasties before right.

00;44;48;25 - 00;45;06;10

Geoff Nielson

So you know it it can help with the, the the you know, the attacking and the defending and you know, probably not 100% on either, but it just gives us more tools in our toolkits for just, you know, sending a few more or catching a few more.

00;45;06;12 - 00;45;21;18

Troy Hunt

Yeah, exactly. And and to be honest, that the thing that I think is very exciting about it is it's changing so quickly that if we have this discussion in another few months, I'm sure we'll go, hey, look, there's now that other new thing, which might be a good thing and it might be a bad thing, but that's going to be different from today.

00;45;21;21 - 00;45;37;08

Troy Hunt

And I look, I find that exciting. I know for a lot of people, they're very worried about it. And look, what's the impact on my job and everything else. But I think if you look at it from the perspective of this, is allowing us to do so much new stuff we couldn't do before, and it is creating so many other jobs or so many other ways of working efficiently.

00;45;37;10 - 00;45;38;26

Troy Hunt

I think that's really exciting.

00;45;38;29 - 00;46;09;18

Geoff Nielson

Yeah. No, it I, I, I think you're absolutely right. It's, it's crazy how fast it's changing and. Yeah, I mean, that's one of the things that makes it so tricky is trying to keep up with this, that this incredibly fast moving technology. Troy, you know, speaking of these technologies and speaking of just, you know, your sort of posture about data breaches and the organizations you talk to, it it really feels from this conversation like there's no there's no end to data breaches, either for organizations.

00;46;09;18 - 00;46;27;11

Geoff Nielson

There's no end to data breaches for individuals. You know, you mentioned, you know, you're you know, you're a damn professional in this space. And you said you've been caught up in, you know, 30 plus of these things and had, you know, credentials compromised. What is where should we get to like, is it just about being a little bit better?

00;46;27;11 - 00;46;40;18

Geoff Nielson

Like, what's what's your posture and what's your message for people who maybe have that sense of apathy or resignation? Like, where do we want to get them to, to what's kind of the goal of all of this?

00;46;40;20 - 00;46;57;00

Troy Hunt

I think it's a it's like a question of equilibrium. So where is the right balance? You know, if we take it back to another early example and you have to say to people, what's an acceptable road toll? And they'll go, well, well, not not on any anyone to die. It's all right. You can't drive anymore. I'd like to drive.

00;46;57;01 - 00;47;19;00

Troy Hunt

So long way to walk. All right, well, now you're going to be driving around in a two ton machine at 100km an hour, you're going to take on a risk that you wouldn't have had otherwise. But we accept that that risk is part of our life and the ability to live the way that we do. And I think maybe, maybe the resignation that we all need to have is that it is very likely that we will be caught up in a data breach.

00;47;19;02 - 00;47;35;22

Troy Hunt

With that in mind, what are the things we can do to stay safe? Again, I think even that's a bad term. Let me rephrase that. One of the things that we can do to minimize the impact when it happens. Strong and unique passwords, multi-factor authentication. You know, all this stuff that we've spoken it before.

00;47;35;25 - 00;47;57;07

Geoff Nielson

Yeah. I, I like that approach. And and for me, there's even like a sense of relief in framing it that way. Right. Because I think if you position it as, like as you said, like stay safe or like, I don't know that the, the analogy that came to mind and, you know, we're, you know, a little bit off base in all these, this conversation.

00;47;57;07 - 00;48;12;22

Geoff Nielson

Anyway, we've already talked about sending people shit, but it's like it almost feels like it's like abstinent, like abstinence education, you know, and it's like, okay, well, you know, if you just tell people abstinence is the answer, you know, they say, oh, yeah. And maybe people get mad at me for saying this, but, you know, a lot of people say, you know, yeah, right.

00;48;12;22 - 00;48;24;09

Geoff Nielson

You know, that's not the answer. And they ignore you. But being able to say, okay, how do we, you know, how do we approach this more safely? The the does that apply to cybersecurity?

00;48;24;11 - 00;48;42;11

Troy Hunt

Yeah, it's it's not about not doing the activity at all because their real world impacts on on whether it be abstaining or not, driving your car or not signing up to online services. The question, I guess, would be related to things like sex education as well. Is the education component like, look, these are the risks. These are things you have to be aware of.

00;48;42;11 - 00;48;58;01

Troy Hunt

These are the things you can do to reduce the likelihood of that risk from happening. And that is a that is just a reasonable discussion that I think just needs to be part of education in general, whether it's like part of the, you know, what kids learn at school or what part of all of us as adults need to take on board.

00;48;58;04 - 00;49;18;13

Geoff Nielson

Yeah. No, I it makes complete sense. I love I love the road example too. It's I love the posture of just how we can educate ourselves, how we can make smart decisions, and how we can approach this more thoughtfully. Try. I did want to ask you, though. You know, you've been you've been, you know, a consultant and an expert in the space for a long time.

00;49;18;13 - 00;49;40;18

Geoff Nielson

You've worked with a lot of organizations, helping them as you think about, you know, cybersecurity. I mean, you mentioned the setting people shit story. But when you think about your own career, do you have sort of like a craziest story when it either with you or with, you know, a client organization that you can share when it comes to a data breach or anything security related that you, you know, kind of found yourself in the middle of.

00;49;40;21 - 00;49;58;00

Troy Hunt

Trying to figure out the ones I can talk about, and I get sued. It's actually kind of crazy that I haven't been sued. I honestly not had any legal problems of any great extent, but I think the things where it it has the ability to get the craziest, I'll talk generally about one which I can't find.

00;49;58;01 - 00;50;20;24

Troy Hunt

But yeah, it turns out a lot of organizations don't like being told that they've had a data breach. And it's it's just wild how hard it is for me to disclose incidents to many organizations. But I had one which was a very online service, in a part of the world, which is not not where you are from, put it that way, probably a different set of priorities and values.

00;50;20;26 - 00;50;39;02

Troy Hunt

And someone sent me what turned out to be tens of millions of records of their customers, and I managed to disclose it to the organization. Very often when I talk to an organization, I do actually talk and try and have a video conference or something, because then I can say that I'm not wearing a hoodie. I'm not a kid in the in the parents basement.

00;50;39;05 - 00;50;55;24

Troy Hunt

And I had a video conference with this company, and the CSA is on there and he's like, I really like, have I been fined? I use it all the time. Okay, well, you're probably not going to like what happens next. So yeah, we had this discussion about all that data, and the way I normally frame it is I'm like, look, you've had a breach.

00;50;55;26 - 00;51;14;10

Troy Hunt

Can you share the disclosure notice that, of course, you will be sending to your customers, because then I can include that in my messaging when I communicate later on. Now, knowing in the back of my mind that very often they're just not going to disclose that they're going to try and cover it up. And it soon became evident as the discussion went offline that they were not going to disclose it.

00;51;14;13 - 00;51;29;19

Troy Hunt

And I had some some information via a back channel that they're not going to disclose it. They they really trying to cover it up. They attributed it to an insider who they felt that they had managed to put a lid on the whole thing, even though it was clearly now data which could have been sent to me.

00;51;29;22 - 00;51;51;02

Troy Hunt

And part of the reason they're not going to disclose it is they're publicly listed and they have an earnings call coming up. And also, you know, like that that's now multiple levels of different things of various legality, that is, but it's a part of the world. I travel through a lot, and I don't want to have a problem getting caught and ending up in the jail in that part of the world.

00;51;51;02 - 00;52;05;19

Troy Hunt

So it unfortunately just ended up being one of these ones where I had to look at it and go the processing. This may impact the ability for me to run this service, and it pains me to just file it away, but that's where we ended up.

00;52;05;22 - 00;52;29;14

Geoff Nielson

Yeah. And so, it's really interesting. And there's, you know, multiple layers of sadness to that story. I mean, first off, just kind of abstractly, we, I think, like to believe that, you know, when there's a data breach, most organizations will disclose that or maybe the cynics listening are like, yeah, right. Nobody's going to disclose it. I assume there's many more breaches.

00;52;29;17 - 00;52;36;16

Geoff Nielson

Do you have a flavor of like what that ratio is? Is it 5050? Does it veer pretty heavily toward one side and is it changing.

00;52;36;23 - 00;52;56;14

Troy Hunt

Yeah. Look, you know I reckon it is a coin flip. I think it's pretty 5050 when I, when I try reaching out to an organization. I reckon it's a 5050 chance of me getting any response at all. And even that's wild, right. Like, I mean, ask yourself this question. If someone sent you data and it's probably a service you've never heard of before is another part of the world.

00;52;56;14 - 00;53;16;14

Troy Hunt

And then you go to the website and like, all right, cool. Where do I get in touch with people now? They've almost certainly done have a security dot text file or a vulnerability disclosure policy or a bug bounty. So you kind of try and find the contact form and you fill that out and then you you go through, you go through all the social media accounts and whichever one's allowed the am, the contact buyers as well.

00;53;16;16 - 00;53;30;28

Troy Hunt

And you give it a few days, you're like, all right, I haven't heard from them. Then I got a LinkedIn and I start trying to find people there at the Commodore and sending them messages as well. Give that a few days. And then I'm on ex sending tweets. Does anyone have a security contact at this count?

00;53;30;28 - 00;53;53;26

Troy Hunt

And by then people know exactly what's happened to the company. And then eventually we go through that process and I load the data. And then as as often happens, then the organization reaches out, they're like, hey, we've just had like a thousand angry customers contact us. What's going on? So the thing I've here is my entire paper trail, which is actually really useful when that does happen.

00;53;53;26 - 00;54;04;10

Troy Hunt

And I normally say in the breach description, you know, there were repeated attempts to contact the organization, but they didn't reply. And then, I think there's a little bit of egg on face after that.

00;54;04;13 - 00;54;25;01

Geoff Nielson

Right. And for the organizations that don't disclose, right, they choose to say, you know, oh, there's an earnings call coming up or, you know, it's bad for business in some way. You know, again, I you seem like a good guy, Troy. And and based on the conversation we're having, I mean, there's, there's a very obvious like it's the right thing to do answer.

00;54;25;04 - 00;54;46;19

Geoff Nielson

Is there more to it than that? Like, yeah. Do you believe it is the right business decision to be disclosing these things like the ones that don't disclose? Does it usually come back to bite them, and in some way worse than the original. Like what? What's your what's your message to try and encourage people to do this for more reasons than just the goodness of their heart?

00;54;46;20 - 00;55;03;12

Troy Hunt

Well, the first there's two lenses to look at these three. So one is what is the legal obligation that the organization is under. And that will depend on where they are in the world and the type of data. Very often including places like the US, Australia, the EU, there's a legal obligation to report to a regulator, but not necessarily to the individuals.

00;55;03;19 - 00;55;25;00

Troy Hunt

So a lot of that images get reported to some sort of privacy officer, the whoever the local regulator is, but never actually gets sent to the individuals who have had their data exposed, which is kind of wild. And then there's the ethical view, which was then is of course, of course, is rather subjective. And my rather subjective view is that if you lose someone's data, you should let them know.

00;55;25;02 - 00;55;49;24

Troy Hunt

So that's my view of it. And I think that that's the way most individuals then react as well. There's an expectation on their behalf to be told if an organization exposes that data, that the thing that really muddies it is organizations are very worried about things like class actions, so many data breaches, even ones that, frankly, are pretty benign in terms of the impact to individuals, then result in class actions.

00;55;49;27 - 00;56;15;28

Troy Hunt

So organizations are worried about that happening in the first place, and then they're worried about what they say, lest they be used in the class action. They're also worried about regulatory penalties as well. So, you know, one of the the challenges we've had in Australia is how do we even get organizations to disclose things like ransomware? And now I forget the legal term that's used, but now we have a construct where they they do need to disclose that, but that can't then be used in any proceedings against them.

00;56;16;00 - 00;56;36;02

Troy Hunt

Because we just need to try and at least quantify the problem. So it's a very messy thing. And unfortunately, what I think ends up happening is the the individual victims of the breach tend to end up being put last. And organizations are absolutely prioritizing shareholders, which which is kind of what they're there for as well. That is who they're accountable to.

00;56;36;10 - 00;56;41;14

Troy Hunt

It just doesn't come across in the disclosure messages talking about how seriously they take security.

00;56;41;16 - 00;57;00;18

Geoff Nielson

Well, and I have to believe that, you know, you can very often find yourself in that situation where the cover up becomes worse than the crime. Right? And if you eventually have to disclose it, and as part of the disclosure, you know, you say, oh, well, actually this happened two years ago and yada yada yada like that. That then becomes a much bigger news story.

00;57;00;18 - 00;57;17;14

Troy Hunt

And, you know, that's that's one of the the pieces of advice I often give an organization. If you disclose and you do it properly, you get to define the narrative, you get to explain what's happened, you get to get on the front foot if you don't, and particularly if I have the data and then I notify my subscribers, they will find out about it.

00;57;17;17 - 00;57;23;27

Troy Hunt

They will draw their own conclusions. If you create a vacuum, it will be filled by them and it will be filled by the press. And that's not what you want.

00;57;23;29 - 00;57;36;09

Geoff Nielson

I love that advice. I thought that was extremely well said Troy. I'm going to choose that as as good a note as any to go out on. I wanted to say a big thank you for joining us today. Really, really insightful. And, I appreciate your time and your insight.

00;57;36;12 - 00;57;37;10

Troy Hunt

Awesome. Thanks. I.