6 massive government data breaches

An illustration of a data folder with a leaking tap (faucet for the Americans).

We’re constantly hearing about data breaches lately⁠—and it’s no wonder, given that 5 billion personal records were exposed last year.

While the majority of cybersecurity headlines center around consumer-facing companies such as Facebook and Equifax, the fact is government records are equally at risk.

Some might even argue that our governments’ information on us has a higher risk of exposure because of a lack of incentive to safeguard it: Governments don’t have to grapple with brand crises, PR fallouts, customer retention, or heightening competition as a result of a damning, avoidable cybersecurity breach. And their customers can’t simply pack up and move elsewhere.

Nonetheless, some administrations are responding to the threat online criminals pose. The U.S. cybersecurity budget, for example, grew by approximately 580 million USD in 2019 to settle at an eye-watering 15 billion USD.

So how did we get here? Let’s take a closer look at the six biggest government data leaks.

1. United States Office of Personnel Management

This critical data breach affected nearly 22 million federal employees in the U.S.

The hack, detected in early 2015, was mostly blamed on state-sponsored hackers in China and leaked millions of SF-86 forms.

These forms contain extremely sensitive personal information on existing federal employees as well as those seeking government security clearances. Information gleaned during extensive background checks⁠—addresses, social security numbers, foreign visits, even family details⁠—were siphoned.

To make things worse, the malware remained on the affected computers for two years before it was discovered. A congressional investigation followed, along with the resignation of top OPM officials.

Some estimates say that this attack’s cost to the U.S. government could reach 1 billion USD.

2. India’s Aadhar

Aadhar, the Indian government’s national ID database, was hit by a massive data breach in 2018 that potentially affected over 1 billion personal records.

Registration in the database is required for all Indian residents planning to open a bank account, buy a cellular subscription, or sign up for utility services like water and electricity.

The breach was discovered by Karan Saini, a security researcher based in the Indian capital New Delhi, and was the result of security vulnerabilities in a state-owned utility company. The Aadhar breach exposed the names of individuals registered in the database, their bank account details, and other personal information.

The Indian government claimed media reports of the data breach were “fake news”.

3. Swedish Transport Agency

A widespread data breach in Sweden came about after a botched outsourcing agreement with IBM.

The leak at the Swedish Transport Agency revealed critical data like the details of all government and military vehicles, information about the country’s air force pilots, police officials, members of the military’s elite fighting units, and all those who took part in Sweden’s witness protection programme.

To blame were lax measures put in place by the former head of the agency, including the waiving of security clearance requirements for foreign IT workers. A later investigation declared that the practice was in breach of Swedish privacy and data protection laws, leading to a fine for the government official. She received one of the stiffest penalties ever issued to Swedish government personnel: half a month’s pay.

4. Iranian nuclear facilities

In 2009, uranium enrichment facilities in Iran were targeted by a highly sophisticated worm, the likes of which had never been seen before.

Referred to as Stuxnet, this malicious piece of code was able to destroy about a thousand uranium centrifuges by causing them to spin beyond recommended limits. It left operators stunned and unaware of the source of the problem, baffling even Siemens, the manufacturer of the machinery in question.

While technically not a data breach, Stuxnet makes the list for its complex nature and terrifying real-world implications. Plus, it’s spawned lots of copycat malware, referred to as “sons of Stuxnet.”

One of these, Duqu, was programmed to mine data from industrial facilities to use in later attacks. Another, Flame, recorded private Skype conversations and spied on government organizations in Middle Eastern countries.

It can be argued that Stuxnet propelled cybercriminals and hackers-for-hire aiming to damage vital government installations for either personal data gain or widespread pandemonium. We definitely haven’t seen the last of these.

5. U.S. voter databases

Personal information of 191 million American voters was exposed in 2015 after incorrect configuration left it at the mercy of the open internet.

First discovered by independent researcher Chris Vickery, the data breach included specific details such as names, birth dates, phone numbers, and email addresses of voters across the United States.

Two years after this incident, another security lapse exposed information on 198 million Americans⁠—believed to be every registered U.S. voter from as far back as a decade ago.

The uncovered records listed personal information like home addresses and phone numbers, as well as more detailed profiling information such as ethnicity, religion, and political leaning.

6. Russia’s Federal Security Service

The largest government data breach in Russia took place just a few days ago. Hackers managed to successfully infiltrate the FSB—Russia’s Federal Security Service, similar to the FBI and MI5.

The heist, attributed to hacking group 0v1ru$, targeted a contractor of the FSB and managed to siphon away over 7.5 terabytes of data. The data was then promptly shared with mainstream media organizations.

Some of the secret projects mentioned in the stolen data were initiatives by the FSB to uncover the identity of Tor users, mass scraping of social media profiles, and preparation to help the Russian government cut its internet off from the rest of the world.

The contractor in question, SyTech, received 40 million rubles in state projects in 2018, according to the BBC, and also serves the national satellite communications operator JST RT Komm.ru as well as the Supreme Court of Russia. It’s unclear whether the stolen data was specific to SyTech’s work with the FSB alone or also involved other state entities.

While the FSB has similarities with the FBI and M15, it isn’t restricted to just domestic surveillance and intelligence gathering. Its duties extend across Russian borders to include electronic monitoring overseas and other global espionage attempts. Known as the successor to the infamous KGB, the FSB reports directly to Russia’s president.

Protect your data

Always use a strong unique password and a VPN.

I like to think about the impact that the internet has on humanity. In my free time, I'm wolfing down pasta.