Read security news this past summer and you might notice a pattern.
First, a U.S. government agency announces that it’s found a security breach and is investigating what occurred. Some time passes.
Then, it announces the breach affected a certain number of people—more than it thought at first. More time passes.
Finally, it announces that research has revealed the breach to be massive, tearing way further into its servers than initially imagined.
Such was the story of the Office of Personnel Management (OPM) hack earlier this summer. As news dribbled out from May to June to July, the size of the OPM hack swelled—from 4 million, to 18 million, to 21.5 million—and the kind of information accessed got worse and worse. In 2014, a hack that accessed information about 800,000 U.S. Postal Service employees followed largely the same story.
And now it’s happened again. On Monday, the Internal Revenue Service announced that a security breach first revealed in May affects almost three times as many people as initially thought. The IRS says that it is notifying more than 330,000 households that their tax returns were probably accessed by attackers. The personal information of an additional 170,000 households might be vulnerable as well, the agency also said.
In May, the IRS believed that the tax returns of only 114,000 households had been copied.
This is probably not the last case like this. After the OPM hack, President Obama ordered a “30-day cybersecurity sprint.” This improved the situation somewhat—use of security fundamentals like two-factor authentication surged—but some agencies actually reported worse figures for those basics at the end of the month than they did at the beginning.
In some ways, this is a government story. No one thinks that a 30-day sprint can fix the considerable problems afflicting government cybersecurity and technology, but—just to be clear—there is no conceivable way that a 30-day sprint fixed the considerable problems afflicting government technology. A sprint didn’t fix just one website, Healthcare.gov (though it helped!), and it’s unlikely to work for the hundreds of websites and databases operated out of Washington. Improving the state of cybersecurity will require slow, necessary steps like procurement reform.
But it reaches much further than civics. The IRS hack wasn’t the only piece of cybersecurity news this week—it’s probably not even the biggest. Ashley Madison, the social network explicitly for married people trying to find affairs, was hacked last month. On Tuesday, both Ars Technica and Brian Krebs, one of the best regarded cybersecurity experts, confirmed that the contents of that hack—10 gigabytes of files—were posted to public BitTorrent trackers, and that the dump contains user profiles, phone numbers, email addresses, and transaction histories. That information is just sitting on public networks now: Anyone can check to see if someone was an Ashley Madison user (provided they used their known email address or credit card).
This is new territory. “If the data becomes as public and available as seems likely right now, we’re talking about tens of millions of people who will be publicly confronted with choices they thought they made in private,” writes John Herrman at The Awl. “The Ashley Madison hack is in some ways the first large-scale real hack, in the popular, your-secrets-are-now-public sense of the word. It is plausible—likely?—that you will know someone in or affected by this dump.”
Between the attacks on Ashley Madison and the U.S. government, what we’re seeing play out, in public, is an erosion of the possibility of trust in institutions. No secrets—whether financial, personal, or intimate—that have been confided to an organization that uses servers can be considered quite safe any more. You don’t even have to submit your data online: As long as your information eventually winds up on a computer connected to the Internet, you could be in trouble.
All these attacks, it’s worth adding, didn’t happen only because hackers suddenly became much more sophisticated. They seem to have occurred because powerful institutions, public and private, failed to complete security due diligence. (Even at the end of the “cybersprint,” less than a third of U.S. Department of Justice workers used two-factor authentication.) This makes it nearly impossible for a consumer to know which organizations are trustworthy until it’s too late.
These hacks, and the ones we don’t know about yet, require a quasi-multidisciplinary interpretation. If the IRS, OPM, or USPS hacks seem worrisome, imagine personal information from those attacks counter-indexed against the Ashley Madison database. Wired is already reporting that about 15,000 of the email addresses in the Madison dump are from .gov or .mil domains. An attacker looking to blackmail the FBI agent whose background check data they now hold—or, at a smaller scale, a suburban dad whose tax return wound up in the wrong hands—knows just which database to check first. No hack happens alone.