Records and Government Databases

Penetration Testing Experts


The Old Title Holders

Way back in June 2015 a breach of the US Office of Personnel Management (OPM) was being described as “among the largest breaches of government data in the history of the US”. At the time it was estimated that records of around 18 million people had been targeted, although that estimate was later increased to 21.5 million.

In fairness though, in 2006 the US Veterans Affairs Department lost a laptop, potentially exposing the details of 26.5 million veterans and active duty personnel. The laptop was recovered a month later and, although nobody could prove that it wasn’t accessed in that time, the data was intact and nothing appears to have occurred since then to suggest that it was.

Similarly, in 2007 the UK’s HM Revenue and Customs lost computer disks containing confidential details of 25 million child benefit recipients. It is generally believed they really were just lost in the traditional sense, and the data never accessed.

The US National Archives and Records Administration (NARA) were accused in 2009 of putting the data of 76 million veterans at risk. It was revealed that the NARA’s policy in the event of a hard drive failure was to simply return the affected disk, complete with unencrypted data, to the vendor who, if they were unable to repair it, would then pass it on again to a 3rd party for recycling. Hank Bellomy, the NARA IT manager who blew the whistle on the organisation’s practice, described it as “the single largest release of personally identifiable information by the government ever.” Bellomy says he warned his bosses “The data (is protected) under the Privacy Act — it’s against the law” and adds “We have no clue how many drives have been sent back over the past seven years since this system was in place.” Although the drive could not be traced, there appears to be no reason to believe that anyone at either the vendor or 3rd party recycler actually attempted to access the sensitive data and we can reasonably assume that the disk was destroyed.

Smashing Records

On 27 March 2016 the Philippine Commission on Elections (COMELEC) was breached not once but twice. The first time was by Paul Biteng, a 23-year-old with a reputation as a “white hat” hacker, and reportedly considered something of a “master” in hacker circles – with his name on the Thanks lists for responsibly finding and reporting vulnerabilities to both Facebook and Microsoft in 2014. But this time Biteng left the trademark calling card of hacktivist group Anonymous splashed across the COMELEC website, demanding that they improve voting security and warning them “We are watching”. However, during the process of hacking the organisation he claims he shared details that allowed others to repeat his steps and, on the same day that his warning appeared, a hacker group named “Lulzsec Pilipinas” posted a link to a 338 GB dump containing 75.3 million electoral register entries. Removing those tagged as “disapproved” still leaves 54.28 million, roughly matching the total 54.36 million registered to vote in the Philippines. More worrying still is that the data appears to include 1.3 million passport numbers and expiry dates for overseas Filipino voters, and 15.8 million fingerprint records, although the fingerprint data, at least, may prove indecipherable without the bespoke software used to generate it. Biteng insists that this was not his intention and that he regrets it happening, but the “freaking huge” breach, which he must take at least partial responsibility for, could see him sentenced to up to 6 years in prison.

Around the same time an old leak of the Turkish Citizenship Database resurfaced – previously leaked but encrypted at the time, now it was in plaintext for all to read, nearly 50 million records, and accompanied by a clearly political message.

The record for exposure by apparent stupidity was also smashed in December 2015 when security researcher Chris Vickery discovered a poorly configured database leaking the personal information of 191 million US voters, including names, home addresses, voter IDs, phone numbers and date of birth, as well as political affiliations and a detailed voting history since 2000. Nobody has claimed responsibility for the database, but the popular theory seems to be that this is through shame and embarrassment rather than malicious intent.

At least Paul Biteng may be able to take some solace in the fact that the COMELEC breach was only “potentially the biggest government related data breach in history” for under 3 weeks, as on 14 April 2016 Mr Vickery hit yet another jackpot. Hosted on an Amazon cloud server he found, publicly accessible with “no password or authentication of any sort required”, 93.4 million Mexican voter registration records. This time there seemed little question that someone had deliberately put them there, Vickery writes, “In my hands is something dangerous. It is proof that someone moved confidential government data out of Mexico and into the United States. It is a hard drive with 93.4 million downloaded voter registration records — The Mexican voter database.”

So, that’s around 389 million records of personal information, from various countries, exposed, either deliberately or accidentally, in just 4 months.


I’m sure I can’t be the only one wondering whether these dots ought to be joined. Even if these are not all related, it seems to me that these recent, enormous, breaches are far too similar to ignore. And to my mind it casts serious doubts over the “accidental” nature of the US database leak.

But whether this is intended to be the message or not, there certainly is a message coming through loud and clear:

Our data is not safe. We need to do better.

Find out how 2-sec can help keep your data safe here.

2-sec is a leading provider of security consulting services. These include penetration testing, PCI DSS, Cyber Essentials, PA DSS, virtual CISO andtraining & awareness.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top