THE SCALE of cybercrime continues to astonish. The latest eye-opener is a Milwaukee security firm’s claim that Russian hackers stole 1.2 billion usernames and related passwords. This must be one of the biggest hauls of all time, and while it is not clear what the hackers intend to do with their stolen data, the report should serve as another wake-up call to Congress and the American people to break out of their long period of complacency.
According to the firm, Hold Security, Russian hackers strung together networks of virus-infected zombie computers known as botnets that were programmed to do their bidding. Whenever they discovered storage of passwords and usernames, they flagged the location and came back later, injecting a code that caused the database to disgorge its contents. In this way, they managed to accumulate more than a billion unique credentials. While such groups have often peddled similar data troves, in this case the hackers seem to be using them to broadcast truckloads of spam, according to the New York Times. What will they do next?
A natural reaction to this might be to shrug. Doesn’t it happen all the time? Yes, and that’s the problem — these data breaches are accelerating. In December, 40 million credit card numbers and some 70 million addresses, phone numbers and other pieces of personal information were stolen from the retailer Target by hackers who siphoned them right out of the company’s card readers and networks. Losing a credit card number is a real pain, but the theft of usernames and passwords isn’t small potatoes either; it could lead to damaging identity theft or worse. Hundreds of Web sites provide access for little more than a username and password, and the Russian hackers scooped up the equivalent of three credentials for every person in the United States.
How can there be any further doubt that cyberspace has become a danger zone for theft, intrusion and espionage? If a billion of anything were stolen in this country — say, a billion candy bars were shoplifted on the same day — wouldn’t it be appropriate to demand urgent action? Unfortunately, as a society and an economy, the United States remains vulnerable and overly complacent. Many companies find they cannot defend themselves against the onslaught; the Russian hackers pulled their loot from 420,000 Web sites, including some run by major firms. This week, Ellen Nakashima of The Post reported that a major U.S. contractor that conducts background checks for the Department of Homeland Security suffered a computer breach that probably resulted in the theft of employees’ personal information, and the company said the intrusion “has all the markings of a state-sponsored attack.”
Congress has been wrestling with legislation to bolster the private sector’s cyberdefenses in collaboration with the government, without much to show for it. Promising legislation is on offer in both the House and Senate. When lawmakers return after the summer recess, perhaps they will finally get down to business and do something about it.