Twenty years ago, when people wanted to retrieve government documents they had to resort to espionage, bribery or theft, and sometimes a combination of all three. These days there are still those who spy on government agencies and organizations, and indeed steal from them, but they do so from the comfort, convenience and anonymity found behind a computer screen. A very talented hacker can leave no trace, and sometimes may never be caught. If they’re not so talented – or lucky – they are still prosecuted in the same way as real-life criminals; there’s no virtual jail for hackers…
Great hackers have occasionally been recruited (or so urban legend tells us) either by a government or privately. Who better to advise on or develop anti-spyware, antivirus software and firewalls to keep people like themselves out? If you were a world-renowned hacker (although a big part of hacking is remaining anonymous – so maybe not renowned, but at least influential), would you sit in a small dark room alone and search out plots to make life difficult for The Man, or would you be like Salander of The Girl with the Dragon Tattoo, working for the highest bidder regardless of ethics?
There are hackers across industries and systems, and governments are certainly not exempt from a hack attack; indeed, a successful government hack – while one of the most dangerous – is almost the pinnacle of hacker prestige. What are the five biggest government Internet breaches ever? Maybe we’ll make you work for it.
5. Washington State Court System: 160,000 files
This breach has been officially recorded as having involved 160,000 records. However, and this is a big however, the Washington Courts Data Breach Information Center’s website reveals, as do side sources, that up to 1 million drivers’ license numbers could have been accessed in the period in which their system was hacked, between autumn, 2012 and February, 2013. The other 160,000 records that were not drivers’ licenses? Social Security Numbers. That’s right—the breach of the court’s office involved the exposure of one of the most crucial aspects of an individual’s personal identity, the SSN.
At least 94 persons that the court knew of or admitted had definitely had their SSNs accessed, although the center for the breach says: “up to 160,000 social security numbers and 1 million driver license numbers may have potentially been accessed.” They maintain that no court records were altered and that no financial information is kept on the site. It is unclear how they know conclusively about the “at least” 94, yet have less information about the “up to” 160,000 SSNs. Their site reports they took immediate action (upon learning of the roughly half-year breach) to “enhance…security to ensure this does not happen again.”
4. San Francisco Public Utilities Commission: 180,000 files
SFPUC’s spokesman, Tyrone Jue, said that signs of something going on were first noticed in the form of a virus on an unsecured server that stored customer data. Immediately one sees a flaw in that wording: “unsecured server” and “[storing] customer data” don’t seem like they should be in the same sentence! He said that it was unclear how the server got infected with the virus, but was quoted as saying, “it looked like someone had found an open port on the server and dumped a bunch of viruses on it.” The relevant file containing sensitive information consisted of names, addresses, account numbers, phone numbers and some email addresses. Jue said the file did not contain any financial information.
Apparently the server, which was hacked in the spring of 2011, was open to the Internet, but the relevant file was encoded and in plain text. This caused the data to be jumbled enough that matching of information to customers was not a simple task. The SFPUC representative said that as far as could be discerned, no information was taken, but customers were notified regardless, to err on the side of caution. A wise move, especially as people were cautioned that SFPUC staff always carry identity and do not ever ask to enter a home without prior arrangement with the customer.
3. Medicaid, Utah Department of Health: 780,000 files
In April, 2012, this massive government breach occurred. The computer server for the Utah Department of Health was improperly secured and about a half million Utah Medicaid clients had sensitive information exposed, including dates of birth, medical claims, addresses, physicians’ names, and other forms of medical information. 280,000 had their Social Security Numbers exposed.
Two-thirds of the affected parties were children. The breach was first seen on April 2, when epic amounts of data began streaming out of the server. Initial information did not encompass the extent of the breach, especially with regards to the amount of SSNs accessed.
At the time of the breach, data was not encrypted, either on the server or during transit. The hackers being able to access the government server, however, has been ascribed to the failure by one person to change a default password. The director of the responsible department was fired and two other employees were under review, with no updated information on the latter. Costs included at least $460,000 in working with Experian, a credit-reporting company, to contain the breach. Additionally, victims were offered two years of free credit “monitoring,” although in the first year under 60,000 people took advantage of this.
2. Virginia Department of Health: 8,257,378 files
A Virginia Health Department website used to track drug abuse was hacked in 2009, and a ransom note was posted on the site’s homepage. This breach was first made public through WikiLeaks. The ransom note demanded $10 million in exchange for the return of more than 8 million patient records and almost 36,000 prescription files. The homepage message meant for staff at the Virginia Prescription Monitoring Program claimed that the information, a prescription database, had been bundled into a password-protected, encrypted file. The $10 million would have technically been in exchange for the password, and the “kid-hackers” said if the money was not released they would sell the information to the highest bidder.
Virginia government refused to pay the ransom money and hired the FBI instead. These men in black followed all leads, but to date no one has been captured. Although the site was inaccessible for some time, the date for the “big exchange” came and went without much of anything happening. As far as state officials could make out, it was not clear if the hackers could actually view the temporarily tied-up records. None of the database information was lost in the end, and nothing seems to have come of the case, which is still open.
1. Greek Government: 9,000,000 files
The only one of the world’s largest government hacks that did not occur in the United States is also the biggest. People around the world will likely remember this one most. It happened in autumn, 2012, and was reported in late November of that year.
A computer programmer allegedly stole identity information for more than 83% of Greece’s entire population. The 35-year-old hacker possessed a rough nine million data files according to Reuters, in which were addresses, ID card data, tax ID numbers and even license plate numbers. Now that’s thorough! Police caught the man, who was also suspected of having tried to sell the vital information, but did not catch anyone else, though they thought it was possible the hacker had an accomplice within the government.
It has been, in the end, hard to identify exactly how many people were affected. Although 9 million files on 9 million separate individuals would represent the bulk of Greece’s population, police ended up pointing out that some information was duplicate info, and so some files may have overlapped, reducing the number of actual people affected. However there is no way of knowing exactly what the specifics are without paying to painstakingly go through every one of the stolen records, and Greece has likely had other financial priorities…. Perhaps a job for the computer-savvy thief?