What Has Been Leaked? Impacts of the Big Data Breaches

Filed in: News & Current Affairs  –  Author: JF Dowsett

It now seems that major breaches of what is supposed to be secure, privately held information are rarely out of the major media news cycles, however – as we shall see – there have been massive amounts of data lost and leaked for the better part of the last decade.

Today, information security is a priority issue not just for the IT or business sectors, but for everyone in all walks of life. The daily lives of millions or rather billions of people (around 40% of the global population, in fact) have today become enmeshed with the internet and with myriad technological devices that not only create a growing personal digital profile but also present further challenges to individual privacy and security. Intelligence agencies such as the United States’ NSA, the German BND or French DGSE – in addition to the scores of other agencies active around the globe today – keep constant tabs on everyone’s finances, movements, actions and even thoughts and feelings (as expressed in untold internet missives and social media posts). In contrast, it is mostly shadowy and anonymous networks of hackers, whistleblowers, and other tech-savvy causes that occasionally “leak” troves of information, thereby making public what was supposed to be hidden away from prying eyes.

On Sunday, 3 April 2016, news of the so-called Panama Papers took the world by surprise as a giant leak of more than 11.5 million financial and legal records records held by the Panamanian law firm Mossack Fonseca and pertaining to numerous high-flying figures in politics and commerce around the globe. More than a year ago an “anonymous source” (appropriately enough employing the pseudonym John Doe) contacted reputable German paper the Süddeutsche Zeitung and in view of the magnitude of the information the Germans decided to analyze the data in conjunction with the International Consortium of Investigative Journalists (ICIJ). The latter had the requisite experience, having previously also worked on Swiss Leaks (February 2015), Lux Leaks (November 2014), and before that on Offshore Leaks (April 2013).

The Panama Papers, however, are but the tip of the iceberg when it comes to data breaches. As reported by USA TODAY, an FBI official recently reported more than 500 million records have been stolen from financial institutions over the past 12 months as a result of cyberattacks. According to other reports, the world’s financial sectors are the most targeted, resulting in hefty costs and liabilities for organizations and customers exposed to identity theft and fraud.

Costs of Data Breaches

Data breaches by sector, 2014 [research and image ©2015 gcn.com]

The impacts to a business or agency’s reputation suffers greatly after a loss of data. Nearly two-thirds (64%) of consumers surveyed worldwide say they are unlikely to do business again with a company that had experienced a breach where financial information was stolen, and almost half (49%) had the same opinion when it came to data breaches where personal information was stolen. This is according to a recent global survey by Gemalto, a world leader in digital security, titled Broken Trust: ‘Tis the Season to Be Wary, which surveyed 5,750 consumers in Australia, Brazil, France, Germany, Japan, United Kingdom and United States. 

According to the 2015 Cost of Data Breach Study: Global Analysis, the average total cost of a data breach for the participating companies increased 23 percent over the past two years to $3.79 million. The average cost paid for each lost or stolen record containing sensitive and confidential information increased 6 percent, jumping from $145 in 2014 to $154 in 2015. The lowest cost per lost or stolen record is in the transportation industry, at $121, and the public sector, at $68. On the other hand, the retail industry’s average cost increased dramatically, from $105 last year to $165.

List of Some of the Biggest Data Breaches

A staggering volume of personal information has been lost or stolen even just looking at the period from 2000 until the present. Compiling a short list of some of the more recent, large-scale breaches may be helpful in gaining a quick overview of the size of this global issue. This is a brief list of companies, government agencies, and other entities that have had their sensitive data lost, stolen, hacked or otherwise compromised:

• AOL, 2004 – 92 million records: A former America Online software engineer stole 92 million screen names and e-mail addresses and sold them to spammers who sent out up to 7 billion unsolicited e-mails.
• Cardsystems Solutions, 2005 – 40 million records: CardSystems was fingered by MasterCard after it spotted fraud on credit card accounts and found a common thread, tracing it back to CardSystems.  An unauthorized entity put a specific code into CardSystems’ network, enabling the person or group to gain access to the data.
• T-Mobile/Deutsche Telecom – 17 million records: Thieves got their hands on a storage device with the data, which included the names, addresses, cell phone numbers, and some birth dates and e-mail addresses for high-profile German citizens.
• US Department of Veterans Affairs, 2006 – 26.5 million records: The Veterans Affairs Department agreed to pay $20 million to settle a class action lawsuit over the loss of a laptop. The department originally took three weeks to report the theft. The laptop was recovered with the data apparently intact a month after it was reported stolen.
• TK/TJ Maxx, 2007 – 94 million records: Hackers hacked a Minnesota store wifi network and stole data from credit and debit cards of shoppers at off-price retailers TJX, owners of nearly 2,500 stores, including T.J. Maxx and Marshalls. This case is believed to be the largest breach of consumer information.
• UK Revenue & Customs, 2007 – 25 million records: A set of discs containing confidential details of 25 million child benefit recipients was lost.
• US Military, 2009 – 76 million records: Without first destroying or wiping its data the agency sent back a defective, unencrypted hard drive for repair and recycling which held detailed records on 76 million veterans, including millions of Social Security numbers dating to 1972.
• Virgina Department of Health, 2009 – 8 million records: An extortion demand posted on WikiLeaks in 2009 sought $10 million to return over 8 million patient records and 35 million prescriptions allegedly stolen from Virginia Department of Health Professions.  All 36 servers were shut down  to protect records.
• Heartland, 2009 – 130 million records: The biggest credit card scam in history, Heartland eventually paid more than $110 million to Visa, MasterCard, American Express and other card associations to settle claims related to the breach.
• Sony Online Entertainment, 2011 – 24.5 million records: Hacked by LulzSec. In addition to the Sony Playstation Network breach, compromised 77 million records. More than 23,000 lost financial data, according to Sony.
• Sony PSN, 2011 – 77 million records: Rounding off a thoroughly unhappy year for Sony, their third breach saw the loss of 76,000,000 Sony PSN and Qriocity user accounts to hacking collective Lulzsec.
• Court Ventures, 2012 – 200 million records: A Vietnamese identity theft service was sold personal records, including Social Security numbers, credit card data and bank account information held by Court Ventures, a company subsequently sold to data brokerage firm Experian.
• Apple, 2012 – 12.5 million records: Hacking group AntiSec claimed they hacked an FBI laptop in March 2012 accessing a file of more than 12 million Apple Unique Device Identifiers (UDIDs). Subsequently, it was discovered that app developer BlueToad was the source of the breach. The list contained personal information such as full names, phone numbers and addresses. AntiSec published a million of these UDIDs online.
• Blizzard Entertainment, 2012 – 14 million records: Scrambled passwords, e-mail addresses, and personal security answers were knowingly stolen from Blizzard’s internal network. Blizzard itself would not elaborate on the size of the hack (“millions”).
• Greek Government, 2012 – 9 million records: A computer programmer was arrested in Greece for allegedly stealing the identity information of what could amount to 83% of the country’s population. The 35-year-old was found in possession of 9 million data files containing identification card data, addresses, tax ID numbers and licence plate numbers, which he was also suspected of trying to sell.
• LinkedIn/eHarmony/Last.fm, 2012 – 8 million records: A hacker known as ‘dwdm’ uploaded a file containing 6.5 million passwords on a Russian hacker forum. Soon after another 1.5 million passwords were discovered.  On analysis, 93% of the passwords could be found in the Top 10,000 password list.
• South Carolina State Government, 2012 – 6.5 million records: A man was charged with five counts of violating medical confidentiality laws and one count of disclosure of confidential information after he gained access to personal information for more than 228,000 Medicaid beneficiaries.
• Adobe, 2013 – 36 million records: Hackers obtained access to a large swathe of Adobe customer IDs and encrypted passwords & removed sensitive information (i.e. names, encrypted credit or debit card numbers, expiration dates, etc.). Approximately 36 million Adobe customers were involved: 3.1 million whose credit or debit card information was taken and nearly 33 million active users whose current, encrypted passwords were in the database taken.
• Living Social, 2013 – 50 million records: Online criminals gained access to user names, e-mail addresses, dates of birth & encrypted passwords for 50 million people. Databases storing financial information were not compromised in the attack, the company said.
• Target, 2014 – 70 million records: Investigators believe the data was obtained via software installed on machines that customers use to swipe magnetic strips on their cards when paying for merchandise at Target stores.
• JP Morgan Chase, 2014 – 76 million records: The US’s largest bank was compromised by hackers, stealing names, addresses, phone numbers and emails of account holders. The hack began in June but was not discovered until July, when the hackers had already obtained the highest level of administrative privilege to dozens of the bank’s computer servers.
• Experian/T-Mobile, 2015 – 15 million records: The world’s biggest data monitoring firm disclosed a massive breach of customers who applied for service with T-Mobile. Names, addresses, birth dates, Social Security numbers, drivers license numbers and passport numbers.
• AshleyMadison.com, 2015 – 37 million records: Online hookup site for extra-marital affairs was been severely breached and the personal details of over 37 million users, as well as company financial records released. Notorious hacking outfit The Impact Team claimed responsibility, demanding the shutdown of AM.com and other associated sites.
• Securus Technologies, 2015 – 70 million records: Anonymous hacker leaked records of over 70 million prison phone calls, plus links to recordings. Recording/storing attorney-client calls potentially violates constitutional protections.
• Anthem, 2015 – 80 million records: Second-largest US health insurer Anthem failed to encrypt the stock of personal info it held. It took them 6 weeks to realise they’d been hacked.
• Philippine Government’s Electoral Commission, 2015 – 55 million records: After a message was posted on the COMELEC website allegedly by hackers from Anonymous, warning the government not to mess with the elections, the entire database was stolen and posted online.
• Turkish Government Citizenship Database, 2015 – 49 million records: The Turkish national citizenship database has allegedly been hacked and leaked online.
• Mossack Fonseca, 2016 – 11.5 million records: The ‘Panama Papers’ consist of 2.6TB of data on politicians, criminals, professional athletes etc leaked from Panamanian law firm Mossack Fonseca, including emails, contracts, scanned documents and transcripts.

Implications for National Security

On June 4th 2015 the US Office of Personnel Management admitted that there was a breach in April and that the personal records of 4.2 million current and former government employees may have been compromised. This breach was linked by officials in the government to Chinese hackers though the Chinese government has vehemently denied this. The hackers it is believed entered OPM records after gaining access to the systems of KeyPoint Government Solutions sometime in 2014.

Former head of both the Central Intelligence Agency and National Security Agency, retired General Michael Hayden has said that the data breach is a “tremendously big deal” and “The potential loss here is truly staggering and, by the way, these records are a legitimate foreign intelligence target.” Believing the breach to have originated abroad, he fears that the stolen information will be used to help recruit spies in the U.S. and abroad while outing intelligence agents around the world.

One national security consideration of data breaches is that hackers could use information from government personnel files for financial gain. In a recent case disclosed by the US Internal Revenue Service, hackers appear to have obtained tax return information by posing as taxpayers using personal information gleaned from previous commercial breaches, according to information security analysis at Forrester Research. US Senate Intelligence Committee Chairman Richard Burr said the government must overhaul its cybersecurity defenses. “Our response to these attacks can no longer simply be notifying people after their personal information has been stolen,” he said. “We must start to prevent these breaches in the first place.”

The Need for Information Security

Data breaches have become a regular feature of modern life, and one that will have affected most of us by now. This will continue as long as efficiency and ease of data access trump security, a state of affairs which makes economic sense for many organisations, at least until they suffer their own data breach. Once a breach happens, the value of security becomes clearer. Data breaches are inevitable, and resources invested in advance can pay dividends when a crisis occurs. It takes maturity for organizations to recognise they cannot control the narrative after a breach becomes public, and that leadership involves being honest and transparent with stakeholders to maintain credibility in difficult circumstances.

There are a wide range of motivations for malicious hackers and data thieves, and without investment in measures such as threat intelligence, any government or organization could easily spend too much or too little time and money on prevention. Some organised criminal groups have capabilities equal to nation state intelligence agencies and will be capable of overcoming nearly any private sector attempts at information security. Their ability to operate globally, to reach an ever-increasing range of targets, also continues to improve.

Encryption is one vital aspect of information security

Encryption is a well-known technology that can restrict access, and its use has readily demonstrated its ability to render data useless to those who do not possess the key. This is exemplified by the uselessness of encrypted PINs and hashed passwords to cybercriminals. This is not new science or new technology; the power of cryptography to protect data is well-known and standardized.

Everyone, from individuals to organizations need to take stock of the protection of their sensitive information in order to ensure that they are fully prepared and engaged to deal with these ever-emerging data security challenges, before it’s too late.