The Largest Data Breaches in US History: Part I

including yours. Truly, I have very strong feelings about Ticketmaster. But last Friday night, which was the night of May thirty first, two thy twenty four for those of y'all listening from the future, Ticketmaster was in the news for a reason because the company had been the target of hackers who allegedly stole data belonging to around five hundred sixty million ticket Master customers. Now, that data reportedly includes personal information like names, addresses, and phone numbers, as well

as purchase history. So you know, that means the hackers can check and see if a you know, very public punk rocker type has secretly been sneaking off to watch Taylor Swift concerts or something, and also some partial credit card information like the last four digits on credit cards. Ticketmaster slash Live Nation initially kept quiet about this revelation, but then late on Friday confirmed that a data breach did in fact happen. This is a problem for lots

of reasons. I mean, anytime there's a data breach, that's a problem, But when you're talking about a data breach affecting hundreds of millions of people, that just spells a

massive headache moving forward. And we'll talk a lot about why that is in this episode, But really I thought I would chat about some of the largest data breaches in US history, which is a super happy topic, right, but I thought it was really important to consider how technology that's meant to make systems more efficient and effective can also sometimes provide an opportunity for malicious agents, for hackers to make off with potentially huge amounts of information.

And as we all know, information is valuable. I mean, it is the currency of the Internet in many ways, and data breaches are becoming more and more common. The Identity Theft Resource Center reported that in twenty twenty one, there were one eight hundred and sixty two data breaches that it was able to identify. In twenty twenty three, that number was up to three thousand, two hundred five,

almost double. However, I feel I should clarify that twenty five of those incidents were data exposures, and two of them were data leaks, and fifty six were incidents that weren't categorized at all. They're uncategorized, I don't know the nature of them, so that leaves us three twenty two cases of actual data breaches, and the differences between these

different categories are sometimes subtle and a little gray. As for my source for what constitutes the largest data breaches in the United States, I decided settle on one source just for the list. Right, I went into lots of sources for the details of all these things, but I used a blog post on upguard dot com. It was written by Kyle Chen. Now, Kyle Chen lists twenty six cases of data breaches, and the Ticketmaster case isn't among them.

It hasn't been updated since the Ticketmaster issue. Arguably, Ticketmasters should be in any list about large data breaches in the United States because this was a big one. I imagine when the dust settles, it could end up on that list where I can't say Chen's definition. The biggest isn't just in how many records were part of a data breach, Like that's not the only factor that constitutes

whether or not it merits consideration. Also the nature of the information and the impact the breach had end up factoring how it falls on the list. And twenty six cases is way too many cases for a podcast episode or even you know, two of them. So I'm just gonna go with the top ten, and even that's gonna require me to break this into two episodes, and I'm

gonna work backward to add to the drama. By the way, Kevin Chin and no point says that this is a ranked list, so you could argue, I'm just giving you ten random large data breach stories out of a list of twenty six, and that's a legitimate criticism. But a

guy's got to start somewhere, right Anyway. I'm doing this as a list because I've watched a lot of Jenny Nicholson's older YouTube videos recently, and I absolutely love how she turns everything into quote an internet friendly numbered li list.

In the quote, I think that's very funny. I mean, Red Letter Media did the same thing with the Planket reviews with all the different parts, although that was somewhat necessitated by the fact that in the early days when they were posting those super long reviews, YouTube videos were limited to ten minutes each, so they would upload like a nine part series to take down the Star Wars episode one critique or whatever. Anyway, I've decided to go

backward in order to increase the drama. So we're gonna start with number ten, which is FriendFinder Networks. And this one's a doozy. So friend Fighter Networks deals with products and services that include some that are not suitable for a family friendly podcast. I will use some euphemisms, but they include stuff like adult entertainment, webcam sites, that kind of thing. That's part of what friend Fighter Networks operates.

The adult magazine company Penthouse bought friend Fire in early twenty sixteen, and interestingly, the company operates several dating services, including one intended to help people find someone with whom to have casual sexual encounters, that being adult friend Finder. On one end of the spectrum, and on the other end of the spectrum, they have a dating service for devout Christians. So I guess it's a company that really does believe an equal opportunity to make money off of

various audiences. Anyway, as a company with businesses that are in the adult entertainment sphere and social networks and also dating services, FriendFinder Networks has access to a lot of sensitive user information that includes info that customers absolutely would prefer remain private or at least under their own control.

So it was a bit of a shock in late twenty sixteen when news broke that hackers stole data from the company that stretched back two decades, like there was information in there that was twenty years old, and it even included information belonging to people who had long since deleted their accounts with FriendFinder Networks, but their information remained on company servers despite the fact that they had deleted their accounts. That seems like a very bad data ownership policy.

Right to retain information about people who had subsequently deleted their account with you, that's a real problem. So the method that these hackers used relied on LFI, which is local file intrusion or sometimes local file insertion. It kind of depends upon who you're talking to, but the name sort of explains how this works. The hacker injects essentially malicious directions into a system, and they do this usually by incorporating those directions into a file, so, for example,

a multimedia file. This multimedia file might contain basic directory commands within the file itself, so essentially it tells the system, hey execute these commands in this order, and if the server isn't protected against such relatively simple attacks, if I'm being honest, then the code can prompt the web server to configure the file improperly and give backdoor access to a hacker, which is in fact what happened in this case.

The hackers got access to information stored on the affected servers, and there were six databases in total that were affected by this, six massive databases, and the take was huge. So the hackers made off of information that related to more than four hundred and twelve million customer accounts. The information included email addresses, including some belonging to government and

military users, transaction history, account passwords. Some of these passwords at least were encrypted, but they used a really primitive hash to do it, an outdated method that was no longer considered secure, so that was a big, prible problem. More than three hundred million of the accounts came from Adult friend Finder, and more than sixty million came from a webcam site. And I'm sure a lot of customers

got really nervous about this. I mean, the taboo nature of these sites and services meant a lot of people were probably sweating over their past activities and hoping they wouldn't be exposed. Now, keep in mind that one year earlier, in the summer of twenty fifteen, hackers compromised around thirty two million accounts from the company Ashley Madison. Ashley Madison was built around the idea of a dating service that would let married people secretly find potential partners in order

to have an affair. There was this sense that some sort of hacker anarchist was going to reveal salacious details about folks in the wake of these attacks, or that at the very least, they would make these details available so that anyone who really wanted to sift through all the stolen information could dig up whether or not you know the neighbor down the street was secretly trying to sneak around behind their partners back or whatever, or the

sexual orientation of people you knew. You could find that kind of information out based upon the stuff that had been stolen in these sorts of attacks, and depending on where you are, that kind of thing can have deadly consequences. So the information involved with this data breach was extremely sensitive,

particularly from a social perspective. I mean, you're not likely to come forward and say I was the victim of identity theft if it also means you have to cop up to something that is socially taboo, like, there's just a lot of pressure on you to not come forward. That the idea of coming forward is actually worse than

someone taking advantage of the information they have on you. So, while this hack didn't include stuff like credit card information, just the fact that names were appearing on these customer lists was a huge problem. It could give other hackers the opportunity to engage in blackmail or spearfishing and target people based on what was revealed in their data with friends. And that's a real issue that's going to come up

again and again in these episodes. Is that idea of yeah, the data might not include, say, your credit card, but that's not really the concern here. The concern is how can someone use your information to victimize you in various ways? And one of those is spearfishing. So what did FriendFinder Network do in response to this? Sadly, the answer was

not much. While security researchers alerted the public that they had detected a vulnerability in the FriendFinder Network system, the company did not acknowledge the data breach for a full week and only then began to send out notifications to customers. And the company didn't have any really helpful advice for those customers either, saying that people should change their passwords. Now, according to idstrong dot com, the company had lacks password

requirements in the first place. Passwords weren't even case sensitive, for example, and they didn't update this, so their password protocols were still not really at an industry standard. And here's a real kicker. The company had also been breached in twenty fifteen. Now, the twenty fifteen breach, because remember the one we're talking about is really twenty sixteen, But the twenty fifteen breach was much smaller in scope. Only

three and a half million users were affected. That's still a lot of people, but it's nowhere close to four hundred and twelve million. But the types of information that were stolen included things like partial payment information, and at least in some of the research I was doing, Like some sources said that the types of info that were stolen in the twenty sixteen attack did not include things like sexual orientation or preferences or that kind of thing.

Other sources said, no, that was part of the twenty sixteen hack as well. So I don't know what the full extent was, but a lot of the analysis I've looked at about this particular breach points out that the company failed to act properly in the wake of the twenty fifteen breach, which meant it was essentially set up

for the much larger attack in twenty sixteen. So that's a pretty damning allegation there, right, that a company had already been the victim of a massive data breach and then failed to take the adequate response in order to prevent an even larger data breach the following year. So again, just having the basics of your information leaked out would be a huge problem given the nature of this company, And despite the company's arguably lack luster response to the breach,

customers kept on being customers. I guess they never had to learn a lesson because there really weren't massive consequences. And again maybe this is partly because of the nature of the services themselves, right, Like for a customer to put up a big fuss, they would also have to reveal themselves to be a customer in the first place,

and then the social taboo kicks in again. But unlike some other companies that were going to talk about in this episode, the friend Finder Networks didn't see serious setbacks as a result of this attack. Okay, and we just got through one, and we've got lots more to go, So let's take a quick break to thank our sponsors and we'll be right back. Okay, we're moving on to number nine on our list. And this one is a

real blast from the past. It's MySpace, and this attack technically happened in twenty thirteen, but it wasn't discovered and reported until twenty sixteen, and even twenty thirteen was late in the game for MySpace now. MySpace was once the king of social networking platforms, but it had been losing

ground to Facebook since two thousand and nine. News Corps, which had purchased MySpace for a whopping five hundred and eighty million dollars in two thousand and five, ended up selling the company off to Justin Timberlake and a company called Specific Media in twenty eleven for thirty five million dollars. So again they purchased it for five hundred eighty million and then six years later sold it for thirty five million. Not a good deal. By twenty sixteen, Time Incorporated purchased

Specific Media, and then Meredith Corporation acquired Time Incorporated. Because there's always a bigger fish, that story gets more and more complicated too, but we're going to leave that here. My point is that MySpace had already experienced a dramatic decline in relevance by twenty thirteen when the attack actually happened, but still the site had millions of user records and a hacker was able to get access to them, like

three hundred and sixty million records. The data lifted during the breach included email addresses, user names, and passwords, which were encrypted using again an outdated method, and therefore security experts considered it insecure, and that was a real issue right now. Looking back on this hack today, there's a disturbing lack of information as to how it actually happened.

It went undiscovered for nearly three years and only really came to light when folks realized that data from the breach was popping up for sale on black market sites on the Dark Web. As for who was responsible and the vulnerabilities they exploited, that remains something of a mystery.

MySpace responded to this news by invalidating all the passwords of all the affected accounts, which would require users to set up new passwords and also encourage people who weren't directly impacted to go ahead and update their passwords as well. In an overabundance of caution, like the friend Finder breach, there wasn't much a user could do to protect themselves from the hackers. In fact, I would argue there was

nothing a user could do. It wouldn't matter if they had used a strong or a weak password, because the real issue was MySpace was using a very weak hashing method to encrypt passwords in the first place. So even if you picked a very strong password, if it's being stored in an encryption that can easily be broken, then they can just get to your password anyway, doesn't matter how strong it was. You did your part. MySpace failed,

is what I'm saying. Now. All that being said, I do still urge everyone to use unique, strong passwords for all their sites and services. Unique is really important because if you're using the same password everywhere, it just takes one data breach to be able to compromise all of your stuff. If they have your email and whatever password you use for that, you know, one like obscure website, and it happens to be the same password you use

for say your bank, that's bad news for you. Use unique passwords, get a password vault of some sort a good one, research this and find one that really works for you, and make unique, strong passwords for each of the sites you go to so that you can avoid this issue. Because data breaches, sadly are not uncommon, they're getting more common every year, and this will help protect

other elements of your online presence from hackers. Sadly, there's not very much you can do to protect the systems themselves. I mean, that's in the control of whatever platform you're using. And I'm not telling you not to use platforms goodness, nos, I use tons of them. Just to be as careful as you can be to mitigate any issues that might pop up due to data breaches. Also, you know, enable multi factor authentication if that's available, if it's on there,

use it again. Nothing is absolutely fool proof. I'm not here to tell you that if you have multi factor authentication you'll never get hacked. That's not necessarily true. But the more precautions you take the better. The harder you make yourself to be a target, the more effort it takes to actually crack your security, and the less likely someone's going to actually pursue that. It's not impossible, but like, why struggle if you can go for all the low

hanging fruit, don't be low hanging fruit still. Now, if hackers are breaching a company's systems, we're really left to the competence of that company when it comes to personal security. So our first two entries on this list are both web based companies. Right, we had MySpace and we had the FriendFinder Networks. But up next is a company known for its brick and mortar operations, and I'm talking about home Depot, which experienced a massive data breach in April

twenty fourteen. This was an attack that compromised more than fifty million customers data, including their credit or debit card information, lifting that information right from inside the stores themselves. And this attack went unnoticed until the hackers started putting the credit card info up on sale on the dark web, at which point home Depot was made aware that they

had been breached. So let's walk through how this attack happened. So, according to the US Office of the Director of National Intelligence, the hackers first secured Quote credentials, user names, and passwords from a third party vendor end Quote, and that gave them the foothold into home depots computer network. So first they identified a company that worked with home Depot. They were able to secure a username and password from this company.

They use that to infiltrate home Depot's computer network. On top of that, they then were able to essentially take advantage of a zero day vulnerability that was within Microsoft Windows. So a zero day vulnerability is a fancy way of saying that the entity responsible for making whatever the thing is So in this case, Microsoft Windows is unaware that the vulnerability even exists. And because they're unaware that there is a vulnerability, there's no means to prevent or mitigate

attacks that leverage or exploit this vulnerability. Zero day vulnerabilities are incredibly valuable in the hacker community because there's no real defense against them, and if you're very careful, you have the chance to continue to exploit these kinds of vulnerabilities for a while before anyone notices. So it's called zero day because that's how much time the you know, the entity Microsoft in this case has before malicious agents

are able to exploit that vulnerability. So the hackers exploit Microsoft Windows and they're exploring home Depot systems and they're able to identify thousands, like seven five hundred points of sale systems in self checkout lanes at physical home Depot stores. So again, this was not targeting the online point of

sale operations for home Depot. You know, the website commerce part of Home Depot was not part of this attack, And I just think that's good to point out because I don't think it's as common now, But I remember when online commerce first became a thing, people were scared

to buy stuff off the internet. They were reluctant to use their credit card to purchase something online because they were worried about security, which is understandable, but it turns out that going to a brick and mortar store is not necessarily more secure because those systems are also connected to networks that ultimately get connected to the Internet, and so if you're able to compromise those networks, then you

can still tap into that kind of system. So the hackers deployed custom built malware for these points of sale systems, and they use this malware to record the credit and

debit card information of home Depot customers. They even made sure that they transmitted that data during home Depot's business hours so that the company's security team wouldn't notice like a transmission at an odd hour, like if it was two in the morning, then the security team was saying, like, hey, why is our system sending info out at this hour?

That could be a tip off. So they made sure that all those transmissions happened during normal business operating hours and that would kind of mask these On top of all the legitimate transmissions, cybersecurity experts criticized home Depot so for having insufficient security measures in place. The company estimated that spent nearly one hundred and eighty million dollars in the wake of this attack to pay off all the

various costs. On top of that, there was a class action lawsuit from across forty six states that ended with Home Depots settling out of court for seventeen point five million dollars. Now, Home Depot didn't admit, you know, responsibility for this, but it did promise to invest in security measures, including hiring a chief of information of security. Now, as for that seventeen point five million dollar settlement, I just want to put that into context so that we can

kind of appreciate what that means or doesn't mean. Keep in mind, around fifty six million customers were affected by this data breach, So if you were to include all of them in the class action lawsuit, which obviously not realistic but you know, we're just doing this as a thought experiment, then that would mean each person would receive the princely sum of thirty one cents. That's only if the various lawyers of all the different states did this case.

Gradis for free. So what I'm saying is that while Home Depot may have had to spend a lot of money to deal with the aftermath of this breach, the settlement I think was a case of getting off lightly considering the nature of that breach. But I also have to remind myself that ultimately the real criminal here are the hackers who pulled off the attack and the folks on the dark web who purchased the credit and debit

card information. Those are the real criminals. While I can be disappointed in home Depot's lack of security or lackluster security, in this case, I don't want to blame the victim like I do think that there is a responsibility there, But the real villains are the people who did the stealing. It's just it's easy to blame big companies as well when they failed to be good stewards of customer information.

So next up on Chin's list, oh massive data breaches here in the United States, is another one that happened in twenty fourteen. This attack targeted the bank JP Morgan Chase and it impacted around eighty three million bank customers. Seventy six million of those were households and the other

seven million were small businesses. This attack also reportedly leveraged a zero day vulnerability, but in this case, it was a vulnerability in JP Morgan Chase's web applications, so this gave the hackers the foothold to access kind of a

directory level of server information for JP Morgan Chase. This then let the hackers identify databases containing customer information Now, one source I looked at suggested the information included financial data like credit card information, but that was just in one source, and every other source, including The New York Times, says that was not the case. So I feel pretty confident that that one source was an outlier and had some misinformation in it. I mean, that's a flag for

all of y'all out there. So it's always good to double check things and check multiple sources. Sometimes it can be really difficult to determine what reality is based on the reporting of various sources. Sometimes even reputable sources get things wrong. So you know, thinking critically involves a lot of checking and double checking, and sometimes it involves making an educated guess as to what is most likely to

be real. So in this case, I think it's most likely that the information that was stolen was personal information

but not financial information. So the attackers got access to things like names, email addresses, that kind of thing, which again doesn't sound like it's as critical as credit card information, but it's still really useful data if, for example, you want to create a spear phishing campaign and trick people into making mistakes, like if you know they are customers of this particular bank, and you know what their email address is, and you know their actual name, you can

craft and attack targeting that person that appears to be coming from the legitimate business and potentially take advantage of them that way. So the hackers then developed attacks for these servers they had identified, and they ultimately infiltrated around ninety servers within the business. The attackers had started back in June twenty fourteen. JP Morgan Chase would detect the

intrusion a month later in July. The public, however, would not find out about it until September, when the company disclosed the attack in a securities filing and various media outlets reported on it. Now, considering that other major breaches like the aforementioned home depot attack, there was another one that hit target, these attacks were fresh in the minds of consumers because they were national news here in the

United States. The JP Morgan Chase attack was a huge blow because it revealed that even massive financial institutions, which had good reputations for being really secure, could also fall victim to hacker intrusions, which became a brand news source for anxiety for American consumers and as for the attackers in this case, there were four identified arguably five. The fifth one, however, was kind of after the effect, but the main four included a Russian citizen named Andrew Turin.

There was an American named Joshua Samuel Arn aka Mike Shields. That's the alias he would use and some of his nefarious activities according to authorities. And then there were two Israeli citizens. There was Gary Shalan aka Gary Shallis Lashville. I know I mangled that name aka Gabriel aka Gabby aka Philip Moussey aka Christopher Ingeham. Lots of aliases for Gary Shallon. And then finally there was Ziv Ornstein aka Aviv Stein aka John Avery. So for four people, that's

a lot of different names, right. Well, these four hackers were linked to numerous crimes, not just the JP Morgan chase instance. There were other ones as well, and they were also operators I believe of online casino or something along those lines. Anyway, at least one of them, that being Gary Shallon, was released early. He secured an early release after agreeing to a plea deal that had him pay a whopping four hundred three million dollar fine. Now, if you can afford to pay a four hundred three

million dollar fine to get out of the pokey. I mean, I guess crime really does pay. Other folks connected to the scheme were not so fortunate, so for example, Andrew Tieran received a twelve year sentence at the end of his trial. So I guess it's you know who you know, and who you know needs to be a whole lot of Benjamin Franklin's JP Morgan Chase pledged to beef up the company's security and would double the investment within five years from two hundred and fifty million a year to

five hundred million a year. So that's good. Okay, got a couple more I want to talk about before we wrap up Part one. I guess of our top ten largest data breaches in US history, But first let's take another quick break to thank our sponsors. We are up to number six on our list of biggest data breaches in US history. And that would be LinkedIn. Uh, LinkedIn, that social network site that I almost never log into.

If I were a savvy mover and shaker, I would make way better use of LinkedIn, But I'm not, and so I post to my account once every blue moon, and I keep thinking, Man, I need to make better use of this resource and really network with people. That could be so helpful. But I've got only so much emotional energy for things like social networks. And I still have a LinkedIn account. I just don't use it very much. However, because I have a LinkedIn account, this next story affects

me whether I pop on there regularly or not. This data breach is quite a bit different from the ones we've talked about so far because this one did not involve a HA gaining access to LinkedIn's internal systems. There

was no security intrusion in this case. Instead, the hacker someone at least what's believed is that was a hacker using the handle Tomliner, but Tomliner could be a middleman like he might not he or she or they might not have been the person responsible for the actual hack, but they did get access to at least some of the data. Anyway, The quote unquote hacker simply used tools to scrape data off public profiles on LinkedIn. A ton of public profiles, like more than ninety percent of the

public profiles on LinkedIn. That would be around seven hundred million profiles. And here's the crazy thing. Earlier that same year, the same person claimed responsibility for leaking five hundred million LinkedIn records, So this was like the second time in the same year and going from five hundred million to seven hundred million yaalza. Now, essentially this methodology is the same as if you were to go manually from LinkedIn profile to profile and you just jotted down all the

relevant information that you were looking for. You know, stuff like what's a person's username, what's their full name, what's their phone number, their email address, you know what other social networking sites do they use? Anything that would appear on the person's profile. You would just jot it down. That would take you an eternity to do seven hundred million, So you create a tool that will just do this automatically.

So the hacker had used LinkedIn's API that stands for Application Programmer Interface and they designed these data scraping tools to harvest user data. This was against LinkedIn's policies, but there really weren't any measures in place to actually prevent it from happening. So yeah, LinkedIn says, hey, don't do this, but they didn't have a way to stop you from

doing it twice in the same year. As it turns out, now this attack did not compromise stuff like passwords or financial information, but it did include things like those connected social applications. So if an affected user had linked their Facebook account or whatever to their LinkedIn profile, that meant the attackers would have that information. And again this can be incredibly helpful if you want to design a phishing attack.

You know, your basic blunt phishing attack might start from a place where little to nothing is known about your target. But the more attackers learn about you, the better they can craft an effective trap. And considering that there were a lot of executives using LinkedIn to network with each other, there's some really high value targets mixed in with everybody else.

Like even if it's not an executive, it might be someone who's an associate of an executive, like an assistant or a coworker or something like that, a direct report. And if you're able to know who that person's direct report is or who they're reporting to, I guess I should say, then you can craft an attack that might be very convincing. You know, a classic one is your boss apparently texting you out of nowhere saying hey, I

need access to five thousand dollars in petty cash. Can you wire it to me, and then they give you a link and it turns out it's just someone who's made the connection. They know who your boss is, and they're using that to pressure you into doing something you really shouldn't do. That's a very simple example, but it happens all the time. So this LinkedIn attack is a

pretty tricky one. And we've seen similar data scraping techniques across the web, both of the purposes of harvesting user information and in recent years also using it to train up AI models. And typically platforms condemn these practices. They say it violates their policies. They want to protect their

user information. Now, I would argue it's largely really because user data is valuable, and these platforms would very much like to prevent other entities from taking advantage of the same information that the platforms themselves are profiting off of. It's not so much to protect our privacy as it is to protect the platform's investment in gathering all the information in the first place. Like no, this is ours. This is ours to exploit and to profit from, not yours. Well.

Number five on this list includes an old topic for tech stuff, which is the infamous Cambridge Analytica case with Facebook. Now, this one is a little bit complicated, but I'll see if I can summarize at least the tech side of it, although it does also include politics. Sorry I wish it didn't, but it's literally the very nature of this case. So the LinkedIn attack we just talked about is kind of similar to this because this attack, the Cambridge Analytica scandal,

really centers on some loopholes in Facebook's API. So it all starts with a researcher named Alexander Cogan. And Cogan used Facebook's API to create a survey app, and it would pay Facebook users a small amount in return for them taking the survey. They did not know is that anyone who opted to take this survey was unknowingly giving Cogan the ability to view that person's friends profiles as if Cogan were in fact the person taking the survey. So let me give an example to make this a

little more clear. Let's say I'm your friend on Facebook. Hi friend, and as your friend, I can see more of your profile than just some random schmo on the internet. Right, maybe you've set certain things on your profile to friends only, so as your friend I can see that. But some random person wouldn't be able to see that, right, But then I decide I'm going to go take the survey

so I can make twenty bucks or whatever. And now Cogan can see your profile as if he were me because of this loophole and Facebook's API, and so now Cogan can view all of your friend's only information as if Cogan were your friend. So Facebook would actually close off this loophole before the Cambridge Analytica scandal became ann thing like face. This book made that change in the years following twenty thirteen when Cogan did this actual work.

But by then the data already existed with Cogan. Cogan had access to all this information and he worked with Cambridge Analytica to share it. And so Cambridge Analytica had access to all this data they shouldn't have. They did not have the consent of the various people on Facebook to share the information, and they began to use this data in various ways during political campaigns, mostly conservative ones.

Cambridge Analytica was a British company. It was a sort of a campaign strategy company, and their pitch was that they were using data driven techniques to make it far more effective to get messaging out to potential voters, and it was largely for conservative politicians. Facebook was reportedly aware of these issues, but didn't take any action until a former Cambridge Analytica employee essentially blew the whistle on the

whole operation and it became a big public scandal. Now, ultimately it's debatable whether any of Cambridge Analytica's efforts were actually that effective, but the point is the company got access to somewhere between fifty and ninety million Facebook profiles that it should not have been able to access, and that's a big no no. Now, both Cambridge Analytica and

Facebook would face serious repercussions for this scandal. Facebook would face hundreds of millions of dollars in various costs, from fines to a massive class action lawsuit settlement, and in a separate but related matter, the Federal Trade Commission or FTC, would find Facebook an astonishing five billion with a B dollars for failing to practice secure and ethical data privacy policies. Cambridge Analytica was just kind of related to this. It

was it was a specific instance of a larger problem. Now, Cambridge Analytica would actually fold as a result of this scandal. The company ended up essentially liquidating, but you could argue Cambridge Analytica is not really gone because some other companies that were related to Cambridge Analytica would continue to exist, and they bought up the assets of Cambridge Analytica. So yeah, you could argue it's still out there lurking, it's just

under different names. Now, the political nature of Cambridge Analytica and the use of psychological profiling techniques really make this particular data breach stand out. Now, you could argue there are lots of other breaches, including ones we've already talked about, that had a much broader scope and involved way more victims, right, But the involvement of psychological profiling, specifically for the purposes of affecting political campaigns makes this one seem particularly sinister.

But as I said earlier, number five actually includes Cambridge Analytica. It's not exclusively Cambridge Analytica. That was just part of it. The whole of number five on Chen's list is Facebook itself, specifically with regard to an a April twenty twenty one incident anchoring the topic, and that is where we're going

to pick up in our next episode. We'll pick up with number five in Facebook and talk about the twenty twenty one incident that merited entry upon this list of the largest data breaches in US history, and then we'll we'll you know, work our way through four, three, two and one, and I'll probably have more to say about ticket Master as well as we get to that. Anyway, just as a reminder again, there's very little we as

individuals can do about these kinds of things. I mean, if we work in the security department of these big corporations, we can try and make sure that the practices we're using are best practices and that we're not being laxed at all on computer security. But for the rest of us, you know, we can just do what we can to protect ourselves and hope that the companies we do business with are doing the same. And if they're not, we can take whatever little measures we might have to mitigate

the impact it's going to have on ourselves. But really a lot of this is out of our control. This is why security is an everybody problem, not just on the individual or on the company. It's everyone involved. And it only takes one week link to make a real entry point for malicious agents. So I know that's not very comforting, but it's good to know the reality of the situation that we all need to do our part

as best we can. Even that's not going to protect us from everything, but it will at least limit the amount of effect these hackers can have, and hopefully we'll be able to act in such a way to minimize the impact. If you can do that enough, then you remove the incentive to attack in the first place. If it's so hard to get a success in your attack, you might figure there's a way to make money faster and easier, some other method. So yeah, let's make it real hard for the crooks to do crime. If we

do that, maybe they'll look something else. So that's the hope. I hope that all of you out there are doing well, and I will talk to you again really soon. Tech Stuff is an iHeartRadio production. For more podcasts from iHeartRadio, visit the iHeartRadio app, Apple Podcasts, or wherever you listen to your favorite shows.