11 massive government data breaches

Tips & tricks
8 mins
Information falling out of a folder of government data .

We’re constantly hearing about data breaches lately⁠—and it’s no wonder, given that billions of personal records are exposed every year.

While the majority of cybersecurity headlines center around consumer-facing companies such as Facebook and Equifax, the fact is government records are equally at risk.

[Keep up with the latest in privacy and security. Sign up for the ExpressVPN blog newsletter.]

Some might even argue that our governments’ information on us has a higher risk of exposure because of a lack of incentive to safeguard it: Governments don’t have to grapple with brand crises, PR fallouts, customer retention, or heightening competition as a result of a damning, avoidable cybersecurity breach. And, in some cases, their customers can’t simply pack up and move elsewhere.

Nonetheless, some administrations are responding to the threats posed by online criminals. The U.S. government’s civilian cybersecurity budget, for example, grew to 9.8 billion USD for 2022, up from 8.7 billion USD in 2021.

So how did we get here? Let’s take a closer look at some of the biggest government data breaches.

1. United States Office of Personnel Management

This critical data breach affected nearly 22 million federal employees in the U.S.

The hack, detected in early 2015, was mostly blamed on state-sponsored hackers in China and leaked millions of SF-86 forms.

These forms contain extremely sensitive personal information on existing federal employees as well as those seeking government security clearances. Information gleaned during extensive background checks⁠—addresses, social security numbers, foreign visits, even family details⁠—were siphoned.

To make things worse, the malware remained on the affected computers for two years before it was discovered. A congressional investigation followed, along with the resignation of top OPM officials.

Some estimates say that this attack’s cost to the U.S. government could reach 1 billion USD.

2. India’s Aadhaar

Aadhaar, the Indian government’s national ID database, was hit by a massive data breach in 2018 that potentially affected over 1 billion personal records.

Registration in the database is required for all Indian residents planning to open a bank account, buy a cellular subscription, or sign up for utility services like water and electricity.

The breach was discovered by Karan Saini, a security researcher based in the Indian capital New Delhi, and was the result of security vulnerabilities in a state-owned utility company. The Aadhaar breach exposed the names of individuals registered in the database, their bank account details, and other personal information.

The Indian government claimed media reports of the data breach were “fake news”.

3. Swedish Transport Agency

A far-reaching data breach in Sweden came about after a botched outsourcing agreement with IBM.

The leak at the Swedish Transport Agency revealed critical data like the details of all government and military vehicles, information about the country’s air force pilots, police officials, members of the military’s elite fighting units, and all those who took part in Sweden’s witness protection program.

To blame were lax measures put in place by the former head of the agency, including the waiving of security clearance requirements for foreign IT workers. A later investigation declared that the practice was in breach of Swedish privacy and data protection laws, leading to a fine for the government official. She received one of the stiffest penalties ever issued to Swedish government personnel: half a month’s pay.

4. Iranian nuclear facilities

In 2009, uranium enrichment facilities in Iran were targeted by a highly sophisticated worm, the likes of which had never been seen before.

Referred to as Stuxnet, this malicious piece of code was able to destroy about a thousand uranium centrifuges by causing them to spin beyond recommended limits. It left operators stunned and unaware of the source of the problem, baffling even Siemens, the manufacturer of the machinery in question.

While technically not a data breach, Stuxnet makes the list for its complex nature and terrifying real-world implications. Plus, it’s spawned lots of copycat malware, referred to as “sons of Stuxnet.”

One of these, Duqu, was programmed to mine data from industrial facilities to use in later attacks. Another, Flame, recorded private Skype conversations and spied on government organizations in Middle Eastern countries.

It can be argued that Stuxnet propelled cybercriminals and hackers-for-hire aiming to damage vital government installations for either personal data gain or widespread pandemonium. We definitely haven’t seen the last of these.

5. U.S. voter databases

Personal information of 191 million American voters was exposed in 2015 after incorrect configuration left it at the mercy of the open internet.

First discovered by independent researcher Chris Vickery, the data breach included specific details such as names, birth dates, phone numbers, and email addresses of voters across the United States.

Two years after this incident, another security lapse exposed information on 198 million Americans⁠—believed to be every registered U.S. voter from as far back as a decade ago.

The uncovered records listed personal information like home addresses and phone numbers, as well as more detailed profiling information such as ethnicity, religion, and political leaning.

6. Russia’s Federal Security Service

The largest government data breach in Russia took place just a few days ago. Hackers managed to successfully infiltrate the FSB—Russia’s Federal Security Service, similar to the FBI and MI5.

The heist, attributed to hacking group 0v1ru$, targeted a contractor of the FSB and managed to siphon away over 7.5 terabytes of data. The data was then promptly shared with mainstream media organizations.

Some of the secret projects mentioned in the stolen data were initiatives by the FSB to uncover the identity of Tor users, mass scraping of social media profiles, and preparation to help the Russian government cut its internet off from the rest of the world.

The contractor in question, SyTech, received 40 million rubles in state projects in 2018, according to the BBC, and also serves the national satellite communications operator JST RT Komm.ru as well as the Supreme Court of Russia. It’s unclear whether the stolen data was specific to SyTech’s work with the FSB alone or also involved other state entities.

While the FSB has similarities with the FBI and M15, it isn’t restricted to just domestic surveillance and intelligence gathering. Its duties extend across Russian borders to include electronic monitoring overseas and other global espionage attempts. Known as the successor to the infamous KGB, the FSB reports directly to Russia’s president.

7. SolarWinds

The SolarWinds breach was one of the most high-profile hacks of 2020 and lurid details of the attack continue to emerge. It’s likely that we haven’t ascertained the full extent of the damage but here’s what is known so far.

The cyberattack was initiated by CozyBear, a group with known ties to Russian intelligence. They targeted popular network management product Orion, built by software company SolarWinds. The hackers were able to slip a backdoor into an Orion software update, with the end result being that whoever downloaded that update had their systems compromised.

Such attacks are known as supply-chain attacks, as they target a well-known third-party supplier with a large clientele. The U.S. Treasury Department and the National Telecommunications and Information Administration (NTIA), which is part of the U.S. Department of Commerce, were affected, along with Fortune 500 companies and more.

SolarWinds also provided services to all five branches of the U.S. military, the State Department, the White House, and the NSA. The National Nuclear Security Administration and the National Institute of Health were also breached. The company admitted that “up to 18,000” customers may have been infiltrated but declined to give precise details.

The attack was only reported in December, but analysts estimate that it went undetected for about eight or nine months, during which the cybercriminals were able to move around freely.

The overall extent of the damage is yet to be known.

8. Canadian taxpayers

A report by the Canadian government found mishandling of data within the government to have exposed the personal information of 144,000 Canadians over a two-year period.

The data breaches, which started in early 2018, came to light in February 2020. The Canada Revenue Agency suffered the most egregious exposure, with over 3,000 incidents that affected 60,000 individuals.

Other exposed government bodies included Health Canada with 24,000 files breached, the Canadian Broadcasting Corporation with 20,000 files breached, and Canada Post with over 5,000.

Under Canadian law, each data breach is supposed to be reported immediately to the Office of the Privacy Commissioner, but the report found that many agencies failed to do so.

The breaches are thought to be the result of human error and not attributable to malicious hacking attempts.

9. Wyoming Department of Health

The Wyoming Department of Health came under fire earlier this year when health information from roughly 164,000 Wyomingites—including Covid-19 and flu data—was mistakenly uploaded to GitHub. Wyoming is the least populous state in the U.S., which means that around a third of the state’s residents were affected by this breach. Sensitive information leaked included patient IDs, addresses, dates of birth, and test results. 

Wyoming’s health director and CIO resigned in the aftermath of the breach.

10. Ministry of Defense (UK)

Email addresses of over 250 local interpreters, who aided British forces in Afghanistan, were mistakenly leaked in an email sent by the Ministry of Defense (MoD). With the Taliban taking control of Afghanistan following the withdrawal of U.S. troops, individuals who worked with foreign forces were forced into an uncomfortable position—with the majority forced to go into hiding.

As of September 2021, some 17,000 refugees have been repatriated by the UK, while others have fled to neighboring countries. In sending the email, the MoD mistakenly made all recipient email addresses visible. Several interpreters who replied, unaware of the issue, also accidentally copied in all other email addresses from the initial message. An investigation is currently underway.

11. The Office of the Washington State Auditor

On Christmas Day 2020, the Office of the Washington State Auditor (SAO) was hacked, exposing the personal information of 1.6 million people who filed for unemployment claims. Specifically, a third-party vendor used by the SAO to handle high volumes of personal data was breached. What makes this especially ironic is that the SAO issued a report via an auditor the day prior, outlining vulnerabilities in how certain agencies were handling sensitive data. 

Information stolen included Social Security, driver’s license, and bank account numbers. Further, data from 25 state agencies and 100 local governments, and adoption data on several families, was also compromised. 

Merry Christmas indeed.

Protect your data

Always use a strong unique password and a VPN.

I like to think about the impact that the internet has on humanity. In my free time, I'm wolfing down pasta.