Tuesday, 16 February 2010

URGENT - Irish Family History Foundation website security breached

The following e-mail was sent to me by the Irish Family History Foundation:

Dear Mr C Paton,

Please change your password

A breach of security has recently occurred on BRS Genealogy / Roots Ireland which hosts the IFHF site (www.rootsireland.ie), in response to which all necessary defensive measures have been taken. In the breach part of the database which includes our member’s usernames, email addresses and passwords was accessed. This triggered a series of steps that has resulted in us sending you this warning email.

No data relating to your online payment transactions (credit or debit card details) was on these servers. Please be assured that we do NOT store credit card details or any payment details. Nothing of that nature is held on our site and as a result such data is not at risk. All payments are handled by a secure payment gateway Realex (http://www.realex.ie/).

What you need to do:

We strongly recommend that all users take steps to change their passwords.
Click here for more information on how to change your password.

You will be required to change your password at your next login, (unless you have recently done so).

We recommend that users choose a non-dictionary word that is hard to guess containing both upper and lower case letters and numerals, and use different passwords for different websites.

We also recommend that if you use the same email and password on other sites that you change your password on those sites also.

Since the breach a full review of security has taken place. Further security measures have been implemented to minimise the risk of such a breach happening again.

We apologise for this inconvenience.

I should add that I thought this was spam initially, and on searching several family history forums found similar thoughts. I therefore e-mailed the IFHF, and received confirmation that this was in fact legitimate.

I should also add that I had little enough respect for the IFHF as it was over its outrageous pricing policy, but this has left me seriously unimpressed. You'd think with what we are paying that they could at least have enough security to protect our information. It also does not help in that I initially thought off the top of my head that the site was www.irish-roots.ie/ and not www.rootsireland.ie - both in fact work, but it did at first confuse the hell out of me and make me think that the first one was a cloned site set up with an intent to defraud.

UPDATE (Wed): The IFHF has finally put up a security announcement at http://ifhf.brsgenealogy.com/security.php?PHPSESSID=c02d2934326bc87fa95be8f8965c4887 - it's not on the main homepage (no mention of it as yet there or in their news pages), but on the first search screen.


Scotland's Greatest Story


Damien said...

I too received this mail last night and I changed my password. Later I wondered if it had been a scam. Now that you have pointed out the two different web sites I am still worried, since if you ping the two addresses you get different IP addresses; the same applied if you do a tracert: different final destinations.
Was their email reply to you convincing?

Chris Paton said...

The e-mail was convincing:

Hi Chris,

That email is legitimate. Please change your password on our site.

If you use that password anywhere else you should also change it there. It is recommended by security experts that you should use different passwords on different sites, for your computer etc.

If you have any further queries please contact us again.

Yours sincerely

Karel Kiely M.A.
Irish Family History Foundation

I should add that the contact address on the two URLs I have listed above is the same, being info@ifhf.ie. Surprised though that there is no major announcement on their site... I did change my details, but will not be using them to be absolutely on the safe side, I'll just re-register and start again if I do need to use the site - and I rarely do these days, I find their costs outrageous. It's also not like the ScotlandsPeople site where you have an account where you can revisit previous downloads, so I donlt think re-registering will be a big deal.