In October 2015, Georgia Secretary of State Brian Kemp’s office mailed CDs containing the personal information, including SSNs and birthdates, of 6.2 million registered voters in the state to 12 organizations that had purchased voting lists from the office.
Ordinarily, the voting lists should not have included the personally identifying information.
The breach resulted from what investigators later said was a clerical error on the part of a programmer who had worked with the state for a long time.
According to the Atlanta Journal Constitution the chain of events that led to the snafu began with a request from the Georgia Department of Revenue for the Social Security numbers, driver’s license numbers, birthdates and other personal data belonging to voters in the state. Instead of the data being uploaded to a separate secure file, the employee inadvertently attached it to the voter list file that was meant for distribution to those who had purchased it.
Kemp’s office later said all the discs that were mailed with the mistakenly added personal information were recovered and destroyed.
The United States Postal Service was forced to temporarily take down its VPN service for employees and suspend telecommuting following a November 2014 intrusion that exposed personal data on 800,000 employees.
The unknown threat actors behind the attack accessed files containing the names, Social Security numbers and a slew of other personal data belonging to all active postal workers and those who had retired from the USPS after May 2012. Victims included the US Postmaster General, executive leadership team members and members of the USPS Employee Advisory Services Group.
The breach also exposed the names and telephone numbers of an estimated 2.9 million postal service customers who had called or emailed the USPS’ call center with an inquiry between January and August 2014.
A postal service FAQ posted after the incident did not identify the cause of the breach but noted that the USPS’ VPN was identified as being vulnerable to attack. The FAQ claimed that postal service cyber investigators had identified the methods and the locations that the attackers used to gain access to data systems.
The breach led to some speculation about China-based threat actors being behind it.
Unknown attackers illegally accessed tax return data belonging to approximately 724,000 individuals using an Internal Revenue Service (IRS) application called ‘Get Transcript’ that allows individuals to retrieve copies of previous tax records filed with the agency.
To pull off the caper, the attackers first obtained Social Security Numbers, names and other identifying data belonging to the individuals, from unknown third-party sources. They then used the data to authenticate themselves to the Get Transcript application and retrieve tax records belonging to the 724,000 tax filers.
When the IRS first announced the breach in May 2015, it said that records belonging to approximately 100,000 people had been compromised. In August 2015 the agency revised that number and said it had discovered another 220,000 instances where the attackers had gained access to taxpayer records. Six months later, in February 2016, the IRS yet again revised its estimates upwards noting that its continuing investigation of the incident showed another 390,000 people had been affected.
The intrusion prompted the IRS to disable an online download and viewing capability in My Transcript. The agency is working on adding stronger authentication protocols before bringing it back up online.
In what could be the biggest-ever case of insider theft, a former government contractor who worked for the NSA and other federal agencies was arrested in August 2016 for allegedly stealing a staggering 50 terabytes of government data over the course of 20 years.
FBI agents who raided his home discovered another six bankers boxes full of printed documents allegedly pilfered from the government agencies that Martin worked for over the past several years.
Details of the case are only still unfolding. So it is not entirely clear what exactly Martin, who has been described as a computer security whiz, is alleged to have stolen or why. All that federal investigators have revealed so far is that at least some of the data found in Martin’s possession at the time of his arrest was highly confidential and of national security importance. One example of such a document that has been cited in court filings contained specific operational plans against a known US adversary.
In June 2015, the Office of Personnel Management, which manages the employment records of employees and contractors in civilian federal agencies, discovered two separate but related intrusions into its network.
One of the intrusions affected personnel information, such as name, SSN, and date of birth, belonging to about 4.2 million current and former federal government employees. The other intrusion exposed names, Social Security numbers, health, criminal and financial histories and other background investigation records of 21.5 million employees and contractors who were either currently working with the government or had previously worked for it. Approximately 5.6 million of the compromised records included fingerprint data.
OPM’s breach disclosure evoked widespread concern not just because of the number of records involved but also because of the type of data that was exposed. Security analysts believe that threat actors will use the data for years in identity theft scams, for spear phishing and other social engineering campaigns.
Not surprisingly, the breach disclosure drew considerable attention to the OPM’s security practices — or lack thereof. Many have faulted OPM for not encrypting the highly sensitive data in its possession and for not having enough controls for detecting and mitigating the intrusions quickly enough.
The National Security Agency (NSA) has the dubious distinction of being the victim of not one, but two of the most significant data breaches involving a government entity in recent years.
In August 2016, a group calling itself the ShadowBrokers publicly dumped some 300MB of data allegedly stolen from the Equation Group, a shadowy outfit that is widely believed to be associated with the NSA. The data included information on dozens of highly secret exploits and attack tools that the NSA had developed and used over the years for conducting cyber intelligence operations against US adversaries.
ShadowBrokers claimed it had even more information allegedly purloined from the Equation Group up its sleeve. The group said it would sell the data to anyone willing to pay the equivalent of slightly more than $500 million.
In early November, ShadowBrokers dumped more stolen data. This time the leaked information included configuration data on a toolkit that the NSA allegedly used to break into numerous Sun Solaris servers around the world and to host and execute exploits on them against targeted adversaries.
Unlike the first data tranche though, the information in the second set was somewhat less actionable and appeared intended mainly to show that ShadowBrokers did indeed have more information in their hands, like they had previously claimed.
There is some speculation that Harold Martin, a former NSA contractor who was arrested in October for allegedly stealing more than 50 TBs of government data, might have had a hand in the ShadowBrokers leak. But so far there is no confirmation of that and it remains a mystery how and where ShadowBrokers managed to get access to the data.
Few data breaches in modern history have had as broad an impact or fueled as many changes politically, economically and socially as Edward Snowden’s theft and subsequent leaks of highly classified documents from the National Security Agency (NSA) in 2013.
Snowden worked for several years as a contract employee for the NSA at one of its facilities in Hawaii and prior to that in Japan. He abused his privileged access to classified systems to download copious and staggeringly detailed information on highly secret NSA domestic and international surveillance programs.
His revelations about the existence of the NSA’s bulk phone metadata collection practices and projects like its massive PRISM data mining initiative prompted changes to the nation’s surveillance laws and greater oversight over the practices of US intelligence agencies. Concerns over government and law enforcement access to data held in the cloud by US companies prompted foreign governments, mostly notably in the European Union, to impose new privacy requirements on American companies for handling data on EU residents.
Many view Snowden, who fled to Russia after the leaks, as a traitor for revealing national security secrets. Many others view him as a hero for focusing attention on what they see as the dragnet security practices by the government in the name of counter-terrorism. From an enterprise standpoint, the Snowden case remains one of the most dramatic examples of insider risks and privileged access abuse.