Digital data breaches started long before widespread use of the internet, yet they were similar in many respects to the leaks we see today. One early landmark incident occurred in 1984, when the credit reporting agency TRW Information Systems (now Experian) realized that one of its database files had been breached. The trove was protected by a numeric passcode that someone lifted from an administrative note at a Sears store and posted on an “electronic bulletin board”—a sort of rudimentary Google Doc that people could access and alter using their landline phone connection. From there, anyone who knew how to view the bulletin board could have used the password to access the data stored in the TRW file: personal data and credit histories of 90 million Americans. The password was exposed for a month. At the time, TRW said that it changed the database password as soon as it found out about the situation. Though the incident is dwarfed by last year’s breach of the credit reporting agency Equifax (discussed below), the TRW lapse was a warning to data firms everywhere—one that many clearly didn’t heed.
Large-scale breaches like the TRW incident occurred sporadically as years went by and the internet matured. By the early 2010s, as mobile devices and the Internet of Things greatly expanded interconnectivity, the problem of data breaches became especially urgent. Stealing username/password pairs or credit card numbers—even breaching a trove of data aggregated from already public sources—could give attackers the keys to someone’s entire online life. And certain breaches in particular helped fuel a growing dark web economy of stolen user data.
What Counts as a Data Breach?
A data breach occurs any time an entity accesses information it wasn’t meant to. If someone inconspicuously looks over your shoulder at your smartphone and reads what you’re typing, that’s a data breach. If someone a block away uses binoculars to look through your window and see what you’re watching on TV, that’s a data breach as well. You may not think it matters if someone knows you like The Good Place, but if it isn’t your intent for people to see what you’re watching, it’s a violation of your expectations.
One of these incidents was a breach of LinkedIn in 2012 that initially seemed to expose 6.5 million passwords. The data was hashed, or cryptographically scrambled, as a protection to make it unintelligible and therefore difficult to reuse, but hackers quickly started “cracking” the hashes to expose LinkedIn users’ actual passwords. Though LinkedIn itself took precautions to reset impacted account passwords, attackers still got plenty of mileage out of them by finding other accounts around the web where users had reused the same password. That all too common lax password hygiene means a single breach can haunt users for years.
And What Counts as Exposure?
Think of an exposure as putting that same window at street level. Anyone walking by could see what’s on your TV. Whether they actually do doesn’t matter—the risk is there. When sensitive data like medical records or banking information gets exposed, the stakes are high.
The LinkedIn hack also turned out to be even worse than it first appeared. In 2016 a hacker known as “Peace” started selling account information, particularly email addresses and passwords, from 117 million LinkedIn users. Data stolen from the LinkedIn breach has been repurposed and re-sold by criminals ever since, and attackers still have some success exploiting the data to this day, since so many people reuse the same passwords across numerous accounts for years.
A common reassurance after a data exposure is that there is no evidence the data was stolen. To a degree, it is possible to review access logs and other system indicators to determine this, but generally organizations have no way of knowing for certain what went on while they weren’t watching. This is what makes data exposures such a big problem, whether it’s through your window or via a database that a company left accessible online: It’s always possible that someone realized they could peek in and exfiltrated some information without anyone realizing.
Data breaches didn’t truly become dinner table fodder, though, until the end of 2013 and 2014, when major retailers Target, Neiman Marcus, and Home Depot suffered massive breaches one after the other. The Target hack, first publicly disclosed in December 2013, impacted the personal information (like names, addresses, phone numbers, and email addresses) of 70 million Americans and compromised 40 million credit card numbers. Just a few weeks later, in January 2014, Neiman Marcus admitted that its point-of-sale systems had been hit by the same malware that infected Target, exposing the information of about 110 million Neiman Marcus customers, along with 1.1 million credit and debit card numbers. Then, after months of fallout from those two breaches, Home Depot announced in September 2014 that hackers had stolen 56 million credit and debit card numbers from its systems by installing malware on the company’s payment terminals.
An even more devastating and sinister attack was taking place at the same time, though. The Office of Personnel Management is the administrative and HR department for US government employees. The department manages security clearances, conducts background checks, and keeps records on every past and present federal employee. If you want to know what’s going on inside the US government, this is the department to hack. So China did.
Hackers linked to the Chinese government infiltrated OPM’s network twice, first stealing the technical blueprints for the network in 2013, then initiating a second attack shortly thereafter in which they gained control of the administrative server that managed the authentication for all other server logins. In other words, by the time OPM fully realized what had happened and acted to remove the intruders in 2015, the hackers had been able to steal tens of millions of detailed records about every aspect of federal employees’ lives, including 21.5 million Social Security numbers and 5.6 million fingerprint records. In some cases, victims weren’t even federal employees, but were simply connected in some way to government workers who had undergone background checks. (Those checks include all sorts of extremely specific information, like maps of a subject’s family, friends, associates, and children.)
Pilfered OPM data never circulated online or showed up on the black market, likely because it was stolen for its intelligence value rather than its street value. Reports indicated that Chinese operatives may have used the information to supplement a database cataloging US citizens and government activity.
Today, data breaches are so common that the cybersecurity industry even has a phrase—“breach fatigue”—to describe the indifference that can come from such an overwhelming and seemingly hopeless string of events. And while tech companies, not to mention regulators, are starting to take data protection more seriously, the industry has yet to turn the corner. In fact, some of the most disheartening breaches yet have been disclosed in the last couple of years.
Yahoo lodged repeated contenders for the distinction of all-time biggest data breach when it made an extraordinary series of announcements beginning in September 2016. First, the company disclosed that an intrusion in 2014 compromised personal information from 500 million user accounts. Then, two months later, Yahoo added that it had suffered a separate breach in August 2013 that exposed a billion accounts. Sounds like a pretty unassailable lead in the race to the data-breach bottom, right? And yet! In October 2017, the company said that after further investigation it was revising its estimate of 1 billion accounts to 3 billion—or every Yahoo account that existed in August 2013.
There are few companies that even have billions of user accounts to lose, but there are still other ways for a breach to be worse than the Yahoo debacles. For example, the credit monitoring firm Equifax disclosed a massive breach at the beginning of September, which exposed personal information for 147.9 million people. The data included birth dates, addresses, some driver’s license numbers, about 209,000 credit card numbers, and Social Security numbers—meaning that almost half the US population potentially had their crucial secret identifier exposed. Because the information stolen from Equifax was so sensitive, it’s widely considered the worst corporate data breach ever. At least for now.