The History of Data Breaches
Data breaches have been increasingly common and harmful for decades. A few stand out, though, as instructive examples of how breaches have evolved, how attackers are able to orchestrate these attacks, what can be stolen, and what happens to data once a breach has occurred.
Digital data breaches started long before widespread use of the internet, yet they were similar in many respects to the leaks we see today. One early landmark incident occurred in 1984, when the credit reporting agency TRW Information Systems (now Experian) realized that one of its database files had been breached. The trove was protected by a numeric passcode that someone lifted from an administrative note at a Sears store and posted on an “electronic bulletin board”—a sort of rudimentary Google Doc that people could access and alter using their landline phone connection. From there, anyone who knew how to view the bulletin board could have used the password to access the data stored in the TRW file: personal data and credit histories of 90 million Americans. The password was exposed for a month. At the time, TRW said that it changed the database password as soon as it found out about the situation. Though the incident is dwarfed by last year’s breach of the credit reporting agency Equifax (discussed below), the TRW lapse was a warning to data firms everywhere—one that many clearly didn’t heed.
Large-scale breaches like the TRW incident occurred sporadically as years went by and the internet matured. By the early 2010s, as mobile devices and the Internet of Things greatly expanded interconnectivity, the problem of data breaches became especially urgent. Stealing username/password pairs or credit card numbers—even breaching a trove of data aggregated from already public sources—could give attackers the keys to someone’s entire online life. And certain breaches in particular helped fuel a growing dark web economy of stolen user data.
One of these incidents was a breach of LinkedIn in 2012 that initially seemed to expose 6.5 million passwords. The data was hashed, or cryptographically scrambled, as a protection to make it unintelligible and therefore difficult to reuse, but hackers quickly started “cracking” the hashes to expose LinkedIn users’ actual passwords. Though LinkedIn itself took precautions to reset impacted account passwords, attackers still got plenty of mileage out of them by finding other accounts around the web where users had reused the same password. That all too common lax password hygiene means a single breach can haunt users for years.
The LinkedIn hack also turned out to be even worse than it first appeared. In 2016 a hacker known as “Peace” started selling account information, particularly email addresses and passwords, from 117 million LinkedIn users. Data stolen from the LinkedIn breach has been repurposed and re-sold by criminals ever since, and attackers still have some success exploiting the data to this day, since so many people reuse the same passwords across numerous accounts for years.
Data breaches didn’t truly become dinner table fodder, though, until the end of 2013 and 2014, when major retailers Target, Neiman Marcus, and Home Depot suffered massive breaches one after the other. The Target hack, first publicly disclosed in December 2013, impacted the personal information (like names, addresses, phone numbers, and email addresses) of 70 million Americans and compromised 40 million credit card numbers. Just a few weeks later, in January 2014, Neiman Marcus admitted that its point-of-sale systems had been hit by the same malware that infected Target, exposing the information of about 110 million Neiman Marcus customers, along with 1.1 million credit and debit card numbers. Then, after months of fallout from those two breaches, Home Depot announced in September 2014 that hackers had stolen 56 million credit and debit card numbers from its systems by installing malware on the company’s payment terminals.
An even more devastating and sinister attack was taking place at the same time, though. The Office of Personnel Management is the administrative and HR department for US government employees. The department manages security clearances, conducts background checks, and keeps records on every past and present federal employee. If you want to know what’s going on inside the US government, this is the department to hack. So China did.
Hackers linked to the Chinese government infiltrated OPM’s network twice, first stealing the technical blueprints for the network in 2013, then initiating a second attack shortly thereafter in which they gained control of the administrative server that managed the authentication for all other server logins. In other words, by the time OPM fully realized what had happened and acted to remove the intruders in 2015, the hackers had been able to steal tens of millions of detailed records about every aspect of federal employees’ lives, including 21.5 million Social Security numbers and 5.6 million fingerprint records. In some cases, victims weren’t even federal employees, but were simply connected in some way to government workers who had undergone background checks. (Those checks include all sorts of extremely specific information, like maps of a subject’s family, friends, associates, and children.)