NZITF response to Dropbox data breach

Four years ago, 68 million usernames and passwords were released in a data breach at US file hosting service Dropbox. Only recently made public, the scale and nature of the breach has been of interest to the security community, including here at NZITF.

Importantly, NZITF members got a copy of the data that was breached to understand how New Zealand organisations were exposed and how corrective action can best be taken in future.

In addition to normal, operational efforts that NZITF members took to identify and contact the compromised Dropbox account holders in New Zealand, we examined.nz parts of the dataset to try and understand how organisations here are using file-hosting services like Dropbox.

This blog post sets out what we found.

Many New Zealand organisations use Dropbox

It was difficult to establish how many New Zealand accounts were compromised because we couldn’t search for people's gmail, yahoo or hotmail accounts. What we were able to do however was sort the data to find email addresses ending in .nz – e.g. yourname@work.co.nz or name.lastname@agency.govt.nz. There were 120,100 compromised accounts. Or, put another way, a little over 2 percent of the New Zealand population with a Dropbox account registered to a .nz domain name.

The use of Dropbox by New Zealand organisations may amount to shadow IT

We considered whether or not the use of Dropbox by the compromised New Zealand accounts was shadow IT – where IT solutions are used without organisational approval – and, if so, what kind of corporate information was sitting in unauthorised Dropbox accounts.

It was important to approach this carefully, because Dropbox does not, in and of itself, equal shadow IT. In fact, many organisations make business decisions to use Dropbox, OneDrive or Google Drive for back-ups, document sharing or working overseas.

Nevertheless, we were confident that a number of the organisations whose employees had Dropbox accounts linked to their work email address were bona-fide examples of shadow IT. It was clear from looking at the .govt.nz accounts involved in the breach how many organisations have Dropbox in their systems potentially without official IT sanction – especially given Dropbox is not an approved cloud software solution for New Zealand government IT departments.

Looking at the .nz names involved, we found that:

  • 9,600+ were from .ac.nz (academic institutions)

  • 4,200+ from school.nz

  • 1,400+ from vodafone.co.nz (most likely dominated by customer email accounts)

  • approx. 2,500 accounts were from .govt.nz domains

Of notable interest is that, apart from the 2500 .govt.nz accounts, most of the names were probably not examples of shadow IT. .ac.nz, for example, is likely to include a large amount of students and teaching assistants with university email addresses. It isn’t a huge surprise that they would use Dropbox. With the Vodafone accounts, it’s reasonable to assume these are customers using their ISP-issued email account for Dropbox.

CERT-NZ is expected to bring leadership & coordination around Dropbox-style data breaches

The news about the Dropbox data breach underscores the valuable role that the incoming CERT-NZ is expected to play.

As a trust-based membership organisation, NZITF has security professionals across New Zealand, but members aren’t spread evenly across the country. This means that there will inevitably be some organisations on data breach lists like the Dropbox list that we don't know or have a relationship with. A nationally recognised leader in CERT-NZ will bring resource and name recognition in contacting those organisations as well as running national coordination for breach notifications.

Data breaches like Dropbox are a reminder that the role of the incoming CERT-NZ will also involve coordinating and mitigating breaches in the government sector. Organisations with.govt.nz domain names include local councils, crown entities and large central government agencies. Many lack sophisticated information security teams and resources. CERT-NZ’s role is therefore expected to be doubly important in terms of data breach advice and leadership.

Strong, unique passwords make the difference

While we didn’t expend time or effort in decoding the password hashes, data breaches like Dropbox are a useful reminder about the importance of strong, unique passwords. It’s also particularly important to remind people and organisations that using two or three passwords across all their online accounts is not a good idea.

A useful resource in creating strong unique passwords can be found in Stanford University's password policy infographic. This shows how easy it is to build and remember strong, unique passwords of 16+ characters.

Get proactive about online accounts and data breaches

There are a number of services available that people and organisations can use to check if their email account has been included in a data breach – including HaveIBeenPwned. Here, users can register their email account(s) and be notified if they are involved in a breach that is made public.

HaveIBeenPwned also offers a service where users can receive domain-based alerts. This is useful for organisations, as security teams can set up alerts for anytime a work email account is breached and made public.

With over two billion accounts compromised in 2016 proactive alert services like these are a useful tool in helping alleviate concerns, and NZITF encourages all New Zealanders and New Zealand organisations to stay vigilant.

Terry MacDonald