Data protection has become a hot topic recently with new laws in Australia that ensure ISPs (Internet Service Providers) and telecommunication companies store all customer metadata for two years so authorities can review if required. Previously, the only data you might have been worried about the wrong people seeing was the masses of information we hand over daily to giant internet companies who, you would hope, look after and protect this information. Sadly, there are people out there who are hell bent on accessing this information and sharing it with the world. Depending on your viewpoint, sometimes a mass release of data can save lives and change the course or duration of wars, or it can potentially endanger lives and personal or even national security.
What follows are five incidents where both accidentally and intentionally leaked data caused chaos:
Edward Snowden – 1.7 million confidential NSA files leaked
Edward Snowden was a junior level systems administrator for multiple branches of the intelligence service in the US, as well as other companies working on contracts for the CIA and NSA. Disillusioned with the work he was carrying out, Snowden decided to leak documents on NSA. programmes and capabilities. These programmes have been, and continue to be, used to collect and store personal communications both within the US and abroad.
The documents leaked by Snowden were examples of America’s intelligence agencies and other countries equivalent unlawful mass surveillance, including political, industrial and counter-terrorism espionage that the public were unaware of. It’s estimated that Snowden could have downloaded and taken in excess of 1.7 million files from the NSA database for distribution to journalists. Snowden is currently seeking refuge in Russia, the only country that would grant him asylum, whilst fighting an expected 30-year prison term for crimes under the US Espionage Act.
Ashley Maddison – 37 million user account details leaked
With the slogan ’Life’s short. Have an affair’, AshleyMadison.com (AM) was marketed as a dating website specifically targeted to men and women seeking action and romance outside of their relationship. In July 2015 a group who called itself ’The Impact Team’ stole masses of user data from AM with the intention of releasing it if the site wasn’t shut down immediately.
Their initial demands were ignored and 25 gigabytes of stolen personal data was released. This mass release included data that users had paid an additional cost to have ’permanently deleted’, proving that their data had been handled inefficiently prior to the hack. The remaining stolen data was eventually released on the dark web and is still up there to this day.
Yahoo – 1 billion user account details leaked
In 2016, Yahoo announced that it had been hacked and that the customer data of over one billion of its users had been stolen. What makes this leak even more interesting is that they announced it a full three years after the event. They claimed that in 2013 an ’unauthorised party’ broke into the accounts and accessed the data using forged cookies – bits of code that stay in the user’s browser cache so that a website doesn’t require a login with every visit. The cookies ‘could allow an intruder to access users’ accounts without a password’ by misidentifying anyone using them as the owner of an email account.
The perpetrators were never found and nobody has even been convicted for the hack. It’s officially the biggest leak in the history of consumer data and it happened at a time when Yahoo was scaling down its data security.
PlayStation Network – 77 million accounts compromised
In 2011, the PlayStation Network (PSN) experienced an outage as a result of what they called an ’external intrusion’. It was revealed a few days later that the outage was caused by a hack on the network and that over 77 million user account details and payment details had been compromised. Sony took well over a week to inform its customers of the nature of the leak, earning condemnation from governments the world over. The outage lasted a total of 23 days until PSN were satisfied with their security upgrades.
Australian journalists’ metadata accessed illegally
A new law in Australia requires internet service providers and telecommunications companies to hold 2 years’ worth of customers’ metadata for law enforcement agencies should it be needed to investigate a crime. On the back of this, the Australian Federal Police attempted to gain access by force to a journalist’s metadata and were later found to have done this illegally.
The journalist’s data was accessed without him being under investigation for a crime, directly contravening the rules of the Act. This incident is currently being investigated by the Australian Federal Police commissioner, Andrew Colvin. It’s not illegal to hide or even permanently delete your metadata – and you can manage this type of data using software such as cleandocs or by masking your computer using a VPN – but any metadata taken can be used against you in a criminal investigation.