Prop.-Kp. z.b.V. Film-Nr. 2865 Bildberichter: Walther Text: Strache Ort: Hamburg Datum 10.12. Die H‰nde einer Luftnachrichtenhelferin bei der Arbeit. Walther
Stealing information can be just as lucrative–and destructive–as stealing anything else. Our look at the history of data theft touches on some of the major (or just really interesting) crimes in history. The father of the American Industrial Revolution? A glorified data thief. That tea you’re drinking (let’s say just for the duration of this sentence, you are drinking tea)? That’s a stolen secret recipe, the theft of which involved a Scotsman dressed up in “traditional mandarin garb.” And if you’re a PlayStation Network user or a Gawker commenter, you’ll be familiar with some of the latter items on our list. And don’t forget to check out the rest of Data Week, our exploration of all things data.
Click to launch our guide to the biggest data thefts in history.
Antiquity: Biblical, Greek, and Roman Spies
Before the internet, before written language, before countries as we know them, there were still spies, and there was still data theft. Espionage is sometimes cheekily known as one of the world’s oldest professions, and just about every empire you can name employed networks of spies tasked with gathering intelligence on enemies both perceived and real. According to the A to Z of Middle Eastern Intelligence, “Egyptian hieroglyphs and papyri reveal the presence of court spies. From 1,000 BCE onward, Egyptian espionage operations focused on foreign intelligence about the political and military strength of rivals Greece and Rome.” But one of the best sources of information about early intelligence-gathering is actually the Bible itself. Spying and intelligence gathering is a major recurring theme in just about every political or military anecdote in the Bible. Moses and Joshua were both huge proponents of espionage, the former having a network of 12 spies, one from each tribe, who were tasked with sneaking into surrounding areas and gathering information on military and agricultural assets. The story of Samson and Delilah is, at its core, a story of intelligence gathering. Terry Crowdy, author of The Enemy Within: A History of Spies, Spymasters and Espionage, refers to Delilah, pictured in this Guernica painting, as “the first female secret agent in recorded history.” Her mission, for which she was paid by Philistine lords, was to find through any means necessary the information needed to defeat a powerful enemy. Interestingly, much of the espionage of this time period was actually counter-espionage–spies seem to have been caught at least as often as they were successful, and feeding false data to spies accounted for many major military victories. The battle of Kadesh, the earliest battle for which key details of tactics are known, was rich with espionage and counter-espionage. Hittite spies were sent, posing as deserters, to the pharaoh Rameses, aiming to convince him that Hittite forces were much further away than they actually were. But Rameses captured two not-so-effective Hittite spies and convinced them (“under repeated blows,” says Crowdy) to tell the truth, at which point Rameses called up his reserves and was able to face the battle better prepared. And that counter-espionage only got more complex and nuanced. The Greeks and Romans also used this sort of espionage, sending spies into enemy camps to learn military strategies and report back. Most of the examples that survived history are about the, well, inefficacy of these spies–seems like they were always getting caught, and often sent back with incorrect or incomplete information to lead their armies into traps.
1606: Stealing Chocolate, for Everyone
From military intelligence gathering we move to the much more interesting realm of what is variously known as industrial espionage, corporate espionage, intellectual property theft, and trade secret theft. What all those terms really mean is simple, though the laws surrounding them are pretty complex: theft of ideas. If anyone had every successfully stolen the secret recipe for Coke, or for the Colonel’s however many herbs and spices, they’d be in here. But the ones that have been stolen are just as interesting. First up: the theft of chocolate. Chocolate, a native of the Americas, had been grown and enjoyed by the pre-Columbian cultures lucky enough to live where it grew, especially the Aztecs and Mayans, both of which sometimes used cacao beans as currency. The beverage they brewed from it was bitter and harsh, and when Columbus first interacted with the Aztecs in Nicaragua, on his fourth trip to the Americas, he didn’t think much of it. Sure, he noticed that the locals worshipped the cacao tree, and that dropped beans were quickly snatched up, but he didn’t much care for the drink and essentially ignored it. Hernando Cortès, on the other hand, saw the financial possibilities of the drink, and brought chests of it back to Spain. Cortès and his contemporaries began building cacao plantations in Mexico around 1550, and tales of the drink’s miraculous medical effects spread. Said Bernard Diaz del Castillo, a companion of Cortès: “The pleasure of consuming chocolate keeps one travelling all day. It keeps exhaustion away, without one feeling the need to eat or to drink.” And chocolate’s popularity grew, soon introduced to Europe. More specifically, chocolate was introduced to the Spanish nobility, who fiercely guarded the secret of the drink for about a century. Chocolate was the most exclusive drink in the world, prized by the richest and most powerful in Spain. But the Spanish couldn’t protect the secret of chocolate forever. In 1606, an Italian explorer named Antonio Carletti discovered the secret Spanish chocolate plantations on one of his trips to the West Indies. He immediately published a recipe for what was then called “sweet chocolate” in his native Italy, where it immediately took off.
1708: Europe Steals the Secret of Porcelain
In the grand tradition of Robert Ludlum novels is the story of Francois Xavier d’Entrecolles, a French Jesuit priest who also happened to be an industrial spy who stole and then disseminated one of the premiere manufacturing processes of his time. And d’Entrecolles wasn’t even the only one to steal the process for creating porcelain. Hard-paste porcelain, or, as it was called then, “true” porcelain, is a ceramic material highly prized the world over. The technique for creating it was pioneered sometime in the 9th century in China, and kept secret for many centuries, even as hard-paste porcelain was discovered by the western world. The material is bright white and translucent, brittle but strong, and needs no glazing, unlike “soft-paste” porcelain, so it is just about impervious to water. Back in the early 18th century, porcelain was extraordinarily expensive and trendy, but no westerner had figured out the precise blend of kaolin, feldspar, and quartz, let alone the complex firing process, that gave true porcelain its strength and beauty. It was even known as “white gold,” and was just as expensive as gold and silver. So there was no small amount of interest in stealing the secret formula and method for creating true porcelain. Enter, first of all, an inventor named Ehrenfried Walther von Tschirnhaus, a German who is reported to have reverse-engineered at least the first few steps of the porcelain process. His work was inherited by Johann Friedrich Böttger, a German alchemist, who after trips to China finally figured out some key ingredients in porcelain and created his first batch in 1708. These two are widely regarded as the European creators of porcelain, and their work led to the Meissen factory. But Meissen was a secretive enterprise, keeping its recipe under wraps and improving it in-house. That’s why Francois Xavier d’Entrecolles was sent to China where he engaged in some classic industrial espionage: d’Entrecolles ventured to modern-day Jingdezhen, where he personally inspected the kilns at the porcelain factories and even relied on the advanced knowledge of some of his new Jesuit converts. D’Entrecolles sent his findings back, in very detailed form, to his boss in France in 1712. By the 1730s, the letters were widely published throughout Germany, and the secret of Chinese porcelain–along with the monopoly the country enjoyed–was out.
1789: The Father/Spy of the American Industrial Revolution
Samuel Slater is known to America’s youth as the “father of the American Industrial Revolution,” an epithet given to him by Andrew Jackson. Wikipedia lists his occupation as “industrialist.” Both are accurate. But another, no less accurate description would be “industrial spy of the highest order.” By the late 18th century, the Industrial Revolution was in full swing in England. Decades of work in automation had led to the creation of several key machines, like the water-driven spinning wheel patented by Richard Arkwright in 1768. The spinning wheel enabled workers to spin more cotton threads than ever before, and the workings of the machine was kept a close secret. And why wouldn’t it be? Unlike America, with its miles and miles of cotton plantations, England had no such natural resources to rely on–its factories were everything. Enter Samuel Slater, one of the greatest industrial spies the world has ever seen. Samuel Slater was a child worker at a factory using Arkwright machines, and was indentured to and trained by Jebediah Strutt, the owner of the factory. By the time he turned 21, in 1789, coastal cities like Providence, Boston, and New York were struggling to industrialize. Factories began to pop up, but they were often unsuccessful. Slater heard of the struggles of the coastal American cities, and thanks to his many years of work on Arkwright machines was well-versed in English industrial processes. But Slater’s real coup was memorizing in exacting detail, down to the smallest intricacies, the precise workings of the spinning wheel. He learned it so thoroughly, in fact, that he’d be able to reproduce it without having to smuggle highly illegal written plans. In 1789, he left England for New York. By 1790, Slater had written a boastful letter to the Almy & Brown mill in Pawtucket, Rhode Island, promising to build them a spinning wheel just like those in England. “If I do not make as good yarn, as they do in England,” he wrote, “I will have nothing for my services, but will throw the whole of what I have attempted over the bridge.” The promise was enough for co-owner Moses Brown, who contracted Slater to build the machines in 1790. Despite the small and, by some accounts, not-entirely-competent staff, Almy & Brown were able to open a factory by 1793, thanks to Slater’s pirated designs. Slater’s new wife, Hannah, helped immensely as well, inventing a type of cotton sewing thread and becoming the first American woman to be granted a patent. One factory later, in 1798 Slater split from Almy & Brown and formed Samuel Slater & Company, opening multiple mills and factories and even modeling his management style after the ones he learned in England, even hiring child workers. Slater eventually spread himself a little thin, but his sons proved to be adept managers and by the time of his death in 1835, Slater owned a whopping 13 mills. Thanks to the efforts of his sons (and, no doubt, to the embargo on British goods imposed in the lead-up to the War of 1812), Slater became a millionaire and his original mill, pictured here, now functions as a museum–to the greatest information thief of the industrial age.
1848: The Great Tea Robbery
Westerners in 1848 were obsessed with tea, and had been drinking it for two centuries–but China had been producing it for two millennia, and no westerner had any idea how it was made, nor were they even allowed into China’s interior, where tea was processed. Even the great Linnaeus made basic, glaring errors in his classification of the tea plant, using an incorrect genus and even classifying green tea and black tea as two separate, though related, plants. This rankled Britain’s East India Trading Company to no end. Here they were with a ludicrously popular product, the raw ingredient of which was a stupidly easy-to-grow plant that thrived in the British colony of India. The English had factories. They had cheap Indian labor. They should be making boatloads of money off this stuff. And yet all scientific investigation into how tea was actually made fell flat. You can’t just pick tea leaves and steep them in water. As perfected by the Chinese, tea production was a complex multi-step process involving natural and artificial heat, all kinds of curing, drying, handling, rolling, and sorting. And the Chinese steadfastly refused to share this process. So the East India Trading Company found themselves a spy. In the wake of the First Opium War between the UK and China, the two nations signed the ridiculously one-sided Treaty of Nanjing in 1842. That ended China’s protectionist stance on foreign commerce, and also left the country vulnerable to exactly the kind of industrial spying they were about to fall victim to. In 1848, the East India Trading Company sent one Robert Fortune (one of the more grandly-named spies in history), a Scotsman with a background in horticulture and botany, to travel to China and bring back the secrets of tea. Fortune, not really a trained spy, nonetheless dressed up in, according to Sarah Rose’s For All the Tea In China: How England Stole the World’s Favorite Drink and Changed History (excerpted here), “mandarin garb,” and visited a tea factory in China’s interior. There he discovered the secrets of tea production. Here are some of the things he discovered:
1932-1940: Hacking the Nazis
Moving from the Industrial Age to the Information Age, let’s make a quick stop off during World War II. By the early 1930s, the Axis powers were heavily relying on the Enigma machine to encode and send Morse-coded messages amongst themselves. The Enigma was a beast of a machine, for that time, and the Axis powers believed not that it was uncrackable, but that nobody in their right mind would spend the years necessary to crack the thing, especially as the encryption improved over time. They were wrong. The Enigma was a hell of an encryption device, but it was hampered by that most eternal of problems: Humans are goddamn idiots. Just about every breakthrough the Polish, then Italian, then British, then American cryptographers made was due to a sloppy slip-up from an Axis Enigma operator. The problem: Morse code, transmitted with wireless radios, could be fairly easily intercepted. So both sides made sure to encrypt the crap out of their messages. Of course, if you could crack the encryption… Starting out in 1932, a Polish mathematician named Marian Rejewski joined the Polish Cipher Bureau and began attempting to break down the Enigma’s defenses. His first breakthrough? Discovering the order of the letter notches on the Enigma’s rotors was not the same as on German typewriters, but actually in alphabetical order. He began creating a series of perforated sheets to nail down the cipher further, but the Axis powers made a key change in the operation of the rotors that rendered all his work useless. Womp. Next, Rejewski created what would be called the Polish bomba, or bomb–an electro-mechanical machine that relied on a few key weaknesses (like how a letter could not be substituted for itself) to narrow the possible keys from some kind of ridiculous number (Wikipedia says 10 trillion) to a manageable 17,576. Then Rejewski’s bomba simply performed a brute force attack, trying every single one of those combinations until it stumbled on the right one. This machine was capable of cracking the code in about two hours. The Axis continued to improve the Enigma, and the Allied cryptographers continued to crack it, each time. A few years later, Alan Turing, a Brit widely known now as one of the fathers of computing, built on Rejewski’s work by creating his own device, known as the Turing-Welchman bombe. The bombe was actually more like an homage to than a development of the bomba, relying on the elimination of impossible matches rather than the guessing of the correct match. It was a rousing success, and suddenly, the Allies found themselves able to read the Axis communication. It was one of the biggest victories in military espionage of all time. By the end of the war, just about no German communication could be issued without the Allies intercepting and decrypting it. The information wasn’t always used effectively; suddenly buried by a flood of data, the Allied militaries weren’t really sure how to suss out the good information from the irrelevant. The Americans, for example, weren’t able to use the data they’d encrypted to avoid a brutal defeat at the hands of the Germans at the Battle of Kasserine pass in 1943–even though they’d encrypted messages that foreshadowed German tactics. Still, the decryption of German communications was a major factor in ending the war–Eisenhower called the cracking of the Enigma “decisive” to the Allied victory.
1983: Into the Internet Age
In the post-internet age, data theft has moved from the small, like the secret formula for Chinese tea production, to the large–like, millions upon millions of secret passwords large. And there have been an onslaught of massive data breaches in the past half-decade or so, from just about every major corporation out there. But in the course of my research, one hack jumped out, for two reasons. First, it’s the third largest data breach in history, in terms of sheer quantity of data stolen. But it’s the second reason that really makes this one remarkable: it happened in 1983. In 1983, an American company called TRW Information Services was a massive force in credit. The company had outrageous amounts of data on credit histories, Social Security numbers, employment histories, financial histories–basically everything a bank would want to know about a person. Its services were used by more than 24,000 subscribers, mostly banks but also retail shops like department stores, and, back in 1983, was ahead of the curve by providing this data over telephone lines. TRW, in case you’re wondering, still exists. It’s now called Experian. The company may have been ahead of the curve by offering its information over telephone lines, but even by 1983 standards, its security was laughably weak, considering the importance of the information it dealt in. Sometime in 1983, one of the many blossoming messageboards dedicated to hacking managed to divine a password. According to a Newsday article at the time, the hackers swiped a manual from a Sears Roebuck store in Sacramento, CA that subscribed to TRW’s services, and discovered just how easy it was to hack into the database. According to SecureInfo, “The TRW system used two codes, a seven-digit code to identify the user and a shorter ‘secret password.’ The first code is less guarded and relatively easy to obtain and the shorter, ‘secret’ code, is ‘far too easy’ to crack.” TRW didn’t even notice the breach until July 1984, at which point the hackers had access to TRW’s database of the credit histories of more than 90 million people. This was a legitimately terrifying hack; the hackers could very easily have used these credit histories to apply for clean credit cards, racking up huge bills on someone else’s dime. And the hackers posted the codes on their messageboard; it wasn’t exactly kept secret. A NewsWeek writer who had reported on the fragility of TRW’s database was warned by some of the hackers included in his story that his own credit history was a target, thanks to his reporting. “Everybody hacks TRW,” said one such hacker. “It’s the easiest.” The TRW hack led to the adoption of stricter anti-hacking laws, both on a state and federal basis–but reading the coverage of the story, it’s most remarkable how little people knew or cared about this kind of thing in 1984. This size hack, had it occurred this year, would be front-page news the world over. In 1984, it got a brief story in a news magazine. [Pictured: a Macintosh 128k, the cream of the computer crop in 1984]
2008: Hacking the Heartland
The biggest data breach of all time wasn’t an attack on a government, or a massive corporation like Sony or Microsoft or Google. It was a slyly planted bug in the server of a company headquartered in bucolic Princeton, New Jersey, with a cute name, who you’ve probably never heard of. But this hack, back in late 2008, shattered any previous record, putting an insane 130 million customer records at the mercy of hackers. Heartland Payment Systems (feel free to hum the American anthem or lift your glass of bourbon or whatever) is a processing service–at any of the 175,000 merchants who (in 2008, at least) used Heartland, every credit and debit card that got swiped ended up as data in Heartland’s servers. The company conducted over 100 million transactions a month, coast to coast. And in late 2008, hackers installed some malware on the company’s payment server that recorded every transaction, every credit card number, every piece of financial information that passed by. Robert Baldwin, CEO of Heartland (aw wait no), said the hackers had access for “longer than weeks,” which is about the least comforting estimate of time ever. Months? Years? Millenia? Unlike the TRW case, which doesn’t seem to have resulted in much, if any, actual loss in dollars, Heartland’s breach definitely led to some serious fraud. Several banks that had contracted Heartland reported suspicious charges, and the man eventually charged with and convicted of the crime lived a ludicrously opulent lifestyle in Miami. That’s right, this hacker was actually caught. In August 2009, one Albert Gonzalez of Miami was indicted as the man behind the Heartland hack. Gonzalez was one of three men identified, the other two being “in or near Russia,” in addition to one unidentified man also believed to be in Miami. Gonzalez was an experienced hacker, having already attacked companies ranging from Dave & Busters Barnes & Noble to TJX (itself one of the other top ten data breaches of all time). Gonzalez plea-bargained, receiving two concurrent 20-year terms in jail, though he actually withdrew his guilty plea in March 2011, saying he was, swear to god, “working as an agent of the U.S. Secret Service” at the time of his indictment.
2009: China Attacks Google
In December 2009, Google discovered some very disturbing attempts at hacking parts of their system. In January 2010, the company reacted by giving as much information as they could, and by making one hell of an implicit accusation: The government of China, in some capacity, was attempting to hack into the Gmail accounts of Chinese human rights activists. Google had stamped down the hacking, and made a bold announcement: the company would stop censoring its Chinese search results, as it had since 2006 as a concession to the Chinese government for letting the company operate its Google.cn search. Google spokesman Gabriel Stricker told Wiredat the time that Google was only one of around 30 top-tier American technology companies targeted in the same way–Adobe, makers of super-successful software like Photoshop, came forward shortly after Google, making similar claims, and Northrup Grumman, Yahoo, and others were eventually identified as well. There is hardly any detail on exactly what sorts of attacks were suffered by these companies. The few that spoke out, led by Google, seemed uncharacteristically solemn and grave when talking about the attacks. A source told Wired that Google is “under attack all the time, primarily via unsophisticated channels. I can’t go into detail to demonstrate the level of sophistication, but [the company] doesn’t use that term lightly, and it is quite deliberate.” Later investigation, primarily done by security software maker McAfee, echoed the classification of the attack is unnervingly sophisticated. “We have never ever, outside of the defense industry, seen commercial industrial companies come under that level of sophisticated attack,” says Dmitri Alperovitch, vice president of threat research for McAfee. “It’s totally changing the threat model.” As best as we can tell, the attack was orchestrated through some kind of security hole in Internet Explorer, directing a user to a malicious site through social networking or other communication avenues like IM or email. A Trojan horse virus called Hydraq was eventually identified as one of the culprits, enabling incredibly complex and near-undetectable access to a server. China, for its part, denied official involvement in any such hacking, and requested that Google publicly present information that could back up the company’s claims. The entire debacle was and remains a very touchy international debate, with China calling Google’s behavior indicative of a desire to impose western values on the world, and Americans, including Secretary of State Hillary Clinton, decrying China’s censorship of the internet.
2010: The Great Gawker Hack
Disclosure: I am a former Gawker Media employee, but left the company about ten months before the data breach. What happens when the parent company of several top-tier tech blogs rouses the ire of a bunch of angry, talented hackers? In the case of Gawker Media, the parent company of blogs like Gizmodo, Kotaku, Lifehacker, Deadspin, Gawker.com, and Jezebel, you find the login usernames and passwords of 200,000 of your loyal readers floating around BitTorrent. And then you write a post about how to protect your password. In December of 2010, Gawker Media, one of the biggest blog publishers in the world, got hacked, badly. A group of hackers calling themselves Gnosis (a Greek word meaning “mystical knowledge”) gained root access to Gawker’s Linux-based servers. Root access is also known as “superuser” access: someone with root access has the skeleton key to everything in the treasure chest. Gnosis swiped the source code of Gawker Media’s custom-made content management system, the usernames and passwords for every writer on all of the nine Gawker Media sites, access to the company’s Google Apps, Twitter passwords for site Twitter accounts, and in-company chat logs. But the worst part? Gnosis also stole the login information for all of the 1.3 million users that are registered to comment on Gawker Media sites. Most of those were encrypted, but Gnosis still managed to crack around 200,000 of them–and then promptly zipped them up into a 500MB file and uploaded them to BitTorrent to be passed around like a beach ball at a Flaming Lips concert. The group claimed this was in response to the “outright arrogance” Gawker displayed in articles attacking the admittedly despicable internet community 4Chan, though sources claim vociferously that Gnosis is not related to 4Chan. This was a big deal. Far too many people use the same username/password for their banking, email, shopping, and, yes, commenting accounts–and now 200,000 of those were floating around. Anyone who used their Twitter account to comment on Gawker sites was especially vulnerable, and spam began issuing forth from their accounts. Think about it: how many sites have needed you to create an account and use a password? How many of those accounts use the same password? Now, how many of those can you remember? Gawker, for its part, immediately closed the hole, issued a public apology (the phrase “deeply embarrassed” may have been used) and posted articles forcefully requesting that all readers change every password they can come up with. The tech sites, especially Lifehacker, which is focused on DIY, software, and tech modification, posted elaborate articles explaining how to create new, secure passwords, remember them, and protect yourself–from hacks like Gawker’s.
2011, 2011, and 2011: Sony’s Three-for-One
Sony’s had a rough year, data-crime-wise. There’s no other way to put it: the company suffered not one but two major–as in, both are in the top ten–data breaches, one of which brought the PlayStation Network completely to its knees, out of operation for nearly a month. Imagine Gmail or Twitter going down for a month. That’s what this was like. Sometime between April 17th and 19th of 2011, Sony fell victim to a hack in which the account information, including credit card information, from a whopping 77 million users was exposed. The company fell under fire for waiting six days before alerting the public what had happened, which is not technically illegal but was seen as very much unethical, especially as victims of other attacks, like Gawker Media, had immediately warned users as soon as they themselves were aware of the hack. Sony is no great friend of some of the, ahem, darker corners of the internet. An early pioneer of digital rights management and proprietary technology that’s about as far from open-source as you can get, the company also has a penchant for suing music and movie pirates as well as those who have physically hacked their gadgets. Sony immediately accused Anonymous, the leaderless sorta-activist, sorta-not hacking group, of being behind the attack, though Anonymous denied any involvement. Fallout from the data theft, financially speaking, was minimal. There are no reported instances of any identity theft or fraud as a result of stolen Sony account information. But the company’s reputation was further sullied, both for waiting almost a week to tell its users that their credit card information was stolen, and for the 26-day down period, during which nobody could legally download games. Then injury turned to insult. A mere few weeks later, on May 25th, Sony reported a second hack, this one affecting about 10,000 users in Canada and Greece. And then the end of the trilogy, the big finale: on June 2nd, Lulz Security, a loose group of hackers whose mission is simply to cause mayhem, rather than steal, claimed responsibility for a hack similar to the April hack, in which the data of over a million SonyPictures.com users was stolen. LulzSec, as they call themselves, then flooded the internet with tens of thousands of legitimate Sony music coupons and released the usernames and passwords for the sites administrators. All in all, the year probably could have been better for Sony.