6 Of The Worst Data Breaches in U.S. History

Data breaches happen literally all the time.

[camera snapping] [ominous music]

Something is probably getting hacked right now.

Today we'll do a deep dive

into the six worst data breaches of the past 10 years.

This is Incognito Mode.

[dramatic music]

In July 2015, a person in a group calling themselves

the Impact team announced that they had hacked

ashleymadison.com, a website used for people

who wanna cheat on their spouses.

A website that I definitely only heard about

for the first time this morning.

Impact Team threatened to release the data

on all of Ashley Madison's users unless it's parent company

Avid Life Media deleted ashleymadison.com

as well as its sister site Established Men.

Instead of deleting the websites,

Avid Life Media released several statements

basically saying that they were dealing with the breach.

In response, Impact team released the details

of 2,500 accounts to prove that they had the data.

A month later, after Avid Life Media

failed to delete the websites,

Impact Team released the account details

of all of Ashley Madison's 36 million users.

Unlike some criminal hackers, which wage attacks

simply to get money, or state-sponsored hackers,

which do it for other purposes like espionage,

hacktivists generally wage attacks

simply to make a moral point,

such as getting a website for cheaters off the internet.

You have a lot of people that are freaking out right now

that are very concerned

that this information would never get out

and back to their spouses.

These email addresses can be used for other things.

They can be used for identity theft.

They can be used for blackmail and extortion.

The data Impact Team released included phone numbers,

email addresses, including thousands linked to US military

and government accounts, as well as other details.

It also revealed that while Avid Life Media charged people

$19 to have their accounts deleted,

it didn't actually delete that data.

It was just removing profiles.

The company has said to have made $1.7 million a year

just from people having their data deleted.

The leak also exposed

some 1,200 Saudi Arabian email addresses,

which is particularly dangerous

because adultery is punishable by death in Saudi Arabia.

Also exposed was Josh Duggar,

a member of the Reality TV show 19 Kids and Counting,

a family-focused show that promoted Christian values.

Duggar was later convicted as a sex offender

on unrelated charges.

Reporting found that some 70% of Ashley Madison's users

were men, and of the few women that were on the site,

many of them only logged in once or were just bots.

Impact Team's leak led to widespread harassment

and shaming of Ashley Madison users,

and reportedly led to at least two deaths by suicide.

Avid Life Media ultimately faced

a major class action lawsuit and was forced to settle,

but the data that Impact Team released is still online,

so is ashleymadison.com,

and the perpetrators remain unknown.

[dramatic music]

In October 2020,

a popular chain of mental health clinics in Finland

called Vastaamo announced that it had been breached.

The attacker said that they had stolen patient records

and was extorting the company for 40 Bitcoin

or roughly 400,000 Euros at the time.

The hacker had the records of roughly 36,000 patients.

For a country with just 5.5 million people,

this breach made it one of the worst crimes

impacting the most people in Finnish history.

Not only that, but this breach was extremely cruel,

impacting some of the most sensitive information

about a person, including notes with their therapist

and other health information.

The hacker using the name Ransom Man

first tried extorting the company directly.

When that failed,

he began trying to blackmail patients individually,

sending out tens of thousands of ransom notes,

threatening to reveal patient information.

Records show that the hacker accessed the company's systems,

not once but twice.

A flaw in the company's IT system

exposed the entire patient database to the internet.

This gave the hacker access to unencrypted records

that were not anonymized.

As part of the extortion scheme,

the hacker was posting patient records daily

in attempt to pressure Vastaamo to pay the ransom.

The hacker was later revealed to be Julius Kivimaki,

a member of the Infamous hacker group Lizard Squad,

which was responsible for that 2014 Christmas hacks

of Xbox Live and the PlayStation Network.

Why did you do this? It affected so many people.

Why we did it? Mostly for to raise awareness to ourselves.

In February 2023, Kivimaki was arrested in France

and ultimately convicted of the Vastaamo hack

and sentenced to six years and three months

in Finnish prison.

Recently, Kivimaki was released from custody

as he appeals his case.

Vastaamo has since gone bankrupt.

[dramatic music]

In 2015, a security engineer was doing a routine checkup

on the network of the Office of Personnel Management,

US Government Agency that handles employment

for most of the federal government.

That routine checkup ultimately led to the discovery

of one of the biggest hacks

of a US government agency in history.

More than 21 million Americans

had personal information stolen from government files

in a data breach that was six times as large

as originally disclosed.

OPM is basically like the HR department

for the US federal government.

That means they have a mountain of information

about everyone who works for the federal government

or applies for a job there

or has ever worked there in the past.

Around the time of the breach, OPM was fending off

more than 10 million attempted digital intrusions a month.

In this case, hackers were able to exploit a vulnerability

in OPM's systems and install malware

on fewer than 10 servers,

one of which is known as the jump box,

which gave them access to OPM's entire system.

Now, you might think a hack of this scale

would be really obvious and easy to detect,

but in this case, security personnel

had to follow small digital breadcrumbs,

which ultimately led them to a website

called opmsecurity.org.

This third party website was registered by somebody

under the name Steve Rogers or Captain America.

That Captain America Reference ultimately led investigators

to a Chinese military hacking group,

which often referenced Captain America in their breaches.

At this point, OPM knew that it had been hit

by an advanced persistent threat or APT,

which is typically a state-sponsored group of hackers.

Now, when we're talking about APTs,

we're not talking about some kids causing havoc

or even cyber criminals trying to make money.

We're talking about the world's most advanced hackers,

which often steal this data

and use it for espionage purposes,

blackmail, or national security reasons.

Among the most sensitive data stolen in the OPM breach

was its trove of what's known as Standard Form 86.

The SF 86 questionnaire can include

all types of sensitive questions,

including those about personal finances,

past drug use, and psychiatric care.

Word coming down late this afternoon

of what sources are telling us

is a massive Chinese hack of US government computers,

perhaps on a scale never seen in this country before.

So how big is this breach?

Well, to give you some figures, at the time,

OPM was processing more than two million

background checks a year.

That includes everyone from federal contractors

to federal judges.

OPM's database included more than 18 million archive copies

of Standard Form 86.

It also gathered data on applicants

for some of the government's most secretive jobs.

That data can include everything

from the results of lie detector tests

to notes on people's sexual behavior.

The hackers also grabbed personnel files on 4.2 million

past and present government employees.

And finally, just before the breach was revealed,

the hackers grabbed 5.6 million images of fingerprints.

The hack of OPM ultimately exposed 22.1 million records

on US government employees,

people who had undergone background checks

and their families.

At the time, there was a lot of speculation

about what the Chinese military hackers

would do with the data they had stolen.

Some of these included recruiting spies

or even creating fake fingerprints

for bypassing biometric securities,

but it's still a mystery why the hackers wanted the data

and what they might have done with it.

[dramatic music]

Massive personal data breach.

Equifax, the credit monitoring company,

says that social security numbers of 143 million Americans

may have been exposed.

One of the most infamous hacks of all time

is the 2017 breach of Equifax,

a major credit reporting agency.

The attackers had gained unauthorized access

to certain Equifax data files.

The hack exposed personal records

of nearly 148 million Americans,

along with roughly 14 million UK citizens

and 19,000 Canadian citizens.

This makes it one of the largest exposures

of personal data in history.

This was a massive breach

affecting most adult consumers in this country.

But what was also exposed

was Equifax's really poor security practices.

Just to give you a sense of what Equifax is,

it's one of the top three major credit reporting bureaus.

It operates in 24 countries,

and it has an annual revenue of around $5 billion.

Given that the company handles extremely sensitive data,

like your social security number

and even issues credit scores,

you would think that security would be

their utmost priority.

A scathing new report

finds one of the largest data breaches in the US history

was entirely preventable.

The Equifax breach began in May of 2017,

but the company didn't learn about it until July

and it didn't tell the public about it until September.

To make matters worse, there was a patch available

to the vulnerable software the hackers exploited

all the way back in March,

which means Equifax had two months to fix its systems,

which would've prevented the hack.

Investigators found that Equifax

failed to use multifactor authentication

and even used the username and password admin

for one of their portals.

Maybe they should have been reading Wired

to find out why they should not do that.

Equifax's poor security practices

was already known to the company years before.

An audit in 2015 found that Equifax's IT team

wasn't following the company's own patching schedules.

The data stolen from Equifax included people's names,

social security numbers, date of birth, addresses,

and driver's license numbers,

and some people even had their credit card numbers stolen.

There are strangers out there that know who I am.

They know my birthdate, they know my social security number,

and they know specifically where I live.

That scares me.

In 2019, Equifax agreed to pay the US Federal Government

and all 50 states between 575 million

and up to $700 million as a result of the breach.

As part of the settlement,

Equifax agreed to pay $300 million to affected customers

and also provide them with free credit monitoring services.

In 2020, the US Department of Justice

charged four members of the Chinese People's Liberation Army

with crimes related to the Equifax breach.

China's government denies their involvement,

and this data has never been posted online.

[dramatic music]

If you were anywhere near the internet

or a television during the contentious

2016 presidential election in the United States,

all you heard about was Russia, Russia, Russia.

There was Russian bots in our comments.

There was fake news.

There was Russian meddling all over the place,

or so some said.

No matter what anyone says about Russia's involvement

in that hectic 2016 election, one thing we do know

is that Russia's military hacked the Democrats,

and we have the emails to prove it.

The 2016 hacks against the Democrats wasn't just one hack,

and it wasn't even just one group.

It's been reported that it was two separate

Russian military hacking groups

known as Cozy Bear and Fancy Bear.

In summer of 2015, Cozy Bear,

a hacker group tied to the Russian military,

gained access to the servers

of the Democratic National Committee.

Separately, in March 2016, Fancy Bear hackers gained access

to the personal email of John Podesta,

Hillary Clinton's presidential campaign chair.

Then in April of that year,

Fancy Bear also gained access to the DNC servers.

When the breaches of the DNC were first revealed,

experts believe that Cozy Bear and Fancy Bear

were operating independently

and had no knowledge of each other's activities,

which is common among Russian military hackers.

The US Intelligence community even concluded

that Russia hacked the Democrats

in order to help the election of Donald Trump.

WikiLeaks, I love WikiLeaks.

In June of 2016,

someone operating under the name Guccifer 2.0

started pinging reporters with offers of leaked emails

from the DNC and the Clinton campaign.

Ultimately, some 44,000 emails would be released online

either by a website called DC Leaks or by WikiLeaks,

the radical transparency organization run by Julian Assange.

One of the biggest scandals to come out of the email leaks

was evidence that the Democratic Party

clearly favored Hillary Clinton

over Senator Bernie Sanders in the 2016 Primary.

So this is another set of email problems

for the Democrats and Hillary Clinton.

Bernie Sanders supporters are very upset

by these revelations that's shown in these emails.

However, the ultimate result was just pure chaos,

and it's led to a lot of weird things in American politics,

from the mainstreaming of conspiracy theories

to the ultimate distrust of pretty much everyone

in the political sphere.

Another lasting consequence was the rise of Pizzagate

and other conspiracy theories,

which stemmed from the Podesta email leaks.

Pizzagate, if you don't remember,

is the completely unfounded conspiracy theory

that Democrats are a pedophile cabal

that included raping children

in the basement of a pizza shop in Washington, DC.

A pizza shop should be noted that does not have a basement.

The rise of Pizzagate ultimately led to the rise of QAnon,

which ultimately led to the weird, polarized,

fractious political environment we're in today.

This is a good example

of state-sponsored hackers stealing data,

not for the data itself,

but for what releasing that data could do.

[dramatic music]

In late 2024, US officials revealed

that roughly 10 US telecommunication companies

had been infiltrated by Salt Typhoon,

a hacker group tied to China's government.

The hacked telecom companies

include AT&T, Verizon, and T-Mobile, and several others.

The Salt Typhoon hackers were found to have been spying

on the phone calls and text messages

of both the Harris and Trump campaigns,

as well as the office

of then Senate Majority Leader Chuck Schumer.

It was later revealed that Salt Typhoon successfully hacked

the US National Guard.

In August, the FBI said that Salt Typhoon hackers

had targeted 600 organizations in 80 countries,

including 200 American companies.

Salt Typhoon's breach of US Telecommunications Networks

is seen as the worst telecom hack in US history.

The Chinese hackers were in the American telecom system

for probably a year before they were detected.

It's so bad that even the FBI recommended

that people use encrypted messaging systems

like Signal to protect their communications.

While companies and government officials

say they've taken steps to mitigate Salt typhoon's attacks,

they've stopped short of saying

they've completely eliminated the threat

knowing that Salt Typhoon hackers are difficult to root out.

Because Salt Typhoon's hacking campaign is still ongoing,

the impacts of these breaches are unknown.

This has been Incognito Mode. Until next time.