In May, the IRS believed that the tax returns of only 114,000 households had been copied.
This is probably not the last case like this. After the OPM hack, President Obama ordered a “30-day cybersecurity sprint.” This improved the situation somewhat—use of security fundamentals like two-factor authentication surged—but some agencies actually reported worse figures for those basics at the end of the month than they did at the beginning.
In some ways, this is a government story. No one thinks that a 30-day sprint can fix the considerable problems afflicting government cybersecurity and technology, but—just to be clear—there is no conceivable way that a 30-day sprint fixed the considerable problems afflicting government technology. A sprint didn’t fix just one website, Healthcare.gov (though it helped!), and it’s unlikely to work for the hundreds of websites and databases operated out of Washington. Improving the state of cybersecurity will require slow, necessary steps like procurement reform.
But it reaches much further than civics. The IRS hack wasn’t the only piece of cybersecurity news this week—it’s probably not even the biggest. Ashley Madison, the social network explicitly for married people trying to find affairs, was hacked last month. On Tuesday, both Ars Technica and Brian Krebs, one of the best regarded cybersecurity experts, confirmed that the contents of that hack—10 gigabytes of files—were posted to public BitTorrent trackers, and that the dump contains user profiles, phone numbers, email addresses, and transaction histories. That information is just sitting on public networks now: Anyone can check to see if someone was an Ashley Madison user (provided they used their known email address or credit card).
This is new territory. “If the data becomes as public and available as seems likely right now, we’re talking about tens of millions of people who will be publicly confronted with choices they thought they made in private,” writes John Herrman at The Awl. “The Ashley Madison hack is in some ways the first large-scale real hack, in the popular, your-secrets-are-now-public sense of the word. It is plausible—likely?—that you will know someone in or affected by this dump.”
Between the attacks on Ashley Madison and the U.S. government, what we’re seeing play out, in public, is an erosion of the possibility of trust in institutions. No secrets—whether financial, personal, or intimate—that have been confided to an organization that uses servers can be considered quite safe any more. You don’t even have to submit your data online: As long as your information eventually winds up on a computer connected to the Internet, you could be in trouble.
All these attacks, it’s worth adding, didn’t happen only because hackers suddenly became much more sophisticated. They seem to have occurred because powerful institutions, public and private, failed to complete security due diligence. (Even at the end of the “cybersprint,” less than a third of U.S. Department of Justice workers used two-factor authentication.) This makes it nearly impossible for a consumer to know which organizations are trustworthy until it’s too late.