Marylanders' data exposed in scores of hacks

It was a typical winter morning on the Twitter feed of Eastern Shore television station WBOC: a stream of messages about snowfall and a reminder to download the station's weather app for the latest updates.

Then the Cyber Caliphate arrived. Just after 11 a.m., the station's logo was replaced with the image of a masked man, and a torrent of propaganda supporting the Islamic State spewed onto the feed.


"Infidels, New Year will make you suffer," the account's new controller warned.

The cyberattack grabbed national headlines. But it was just one among scores of hacks that have affected Marylanders in the past year, according to records released by the state attorney general's office.


The data reveal a constant assault on information: On average, two companies that do business in the state fell victim each week in 2014. The breaches ranged from the very large — the attack on Home Depot, in which the data of more than 50 million credit cards were exposed — to the very small, such as a hack on a Baltimore law firm that might have compromised the paychecks of a single employee.

The cyberattack on Sony Pictures Entertainment at the end of last year — which derailed the release of the Seth Rogen movie "The Interview" — affected an estimated 45 current and former employees in Maryland.

As more devices connect to the Internet, and more commerce and life takes place online, vulnerability to digital mayhem is only likely to get worse. President Barack Obama is expected to outline what the federal government can do to help in next week's State of the Union address.

"Much of our critical infrastructure — our financial systems, power grids, pipelines, health care systems — run on networks connected to the Internet," Obama said in warm-up comments last week at the Department of Homeland Security. "So this is a matter of public safety and of public health."

As if to prove his point, on the day he rolled out the first policy proposal — legislation that would require businesses to notify employees and customers when they have been hacked — the Twitter feed and YouTube page of the U.S. Central Command was hijacked by what appeared to be the same group that had commandeered the WBOC feed a week earlier.

Maryland already has a law that requires businesses to tell employees and customers of breaches. They must also inform the attorney general's office.

Companies told the state that in 2014 the personal information of as many as 26,000 Marylanders — addresses, Social Security numbers, credit card information and the like — had been compromised by hackers or malicious software.

The true number is likely far greater. Not all of the reports are detailed, and the records do not list how many people in Maryland were affected by known breaches last year at Home Depot, Staples, eBay and the University of Maryland, College Park.


Nor do they capture every kind of attack. In the WBOC hack, for example, station managers did not think any personal data was taken, so they would not have to file a report.

Stolen data is traded in shadowy online markets. It's valuable to criminals, who can use it to impersonate victims, to make fraudulent purchases or for other purposes.

Jeff Karberg, an official at the Maryland attorney general's office, spends his days dealing with freaked-out consumers who have received a letter telling them their data has been compromised.

"This last year we saw a lot of those retail breaches," he said.

Government agencies have several ways to respond. After the University of Maryland breach, the FBI launched a criminal investigation of an information technology consultant who said he hacked the university months before to highlight its lax security. The probe ended without charges, according to the man's lawyer.

Obama wants stiffer criminal penalties for hackers.


State attorneys general have pursued companies that they believe fell victim because of lax security. Maryland and eight other states reached a settlement with the online shoe seller over a 2012 breach. The settlement requires the company to investigate whether it needs to improve its defenses and update the attorneys general on its progress.

Zappos declined to comment.

Home Depot and Staples said they took steps to improve security after they were hacked, and offered customers free credit monitoring. After it was hacked, eBay said that it did not believe financial information had been compromised but that it had also moved to improve its security and advised users to change their passwords. The University of Maryland offered credit monitoring and formed a task force to look for security problems.

Michael Powell, managing partner at Gordon Feinblatt, the law firm that suffered a minor breach, said the company hired a security team to investigate but was unable to determine who was behind the hack.

Not all stolen data ends up being used for fraud. Karberg advises individuals whose data might be at risk on steps they can take. He tells them to keep a close eye on their bills and to consider freezing their credit to prevent impostors from opening new accounts in their names. Maryland law also allows parents to freeze their children's credit.

Some of the most frustrated consumers Karberg hears from are those who take pride in protecting their information — shredding their mail before putting it in the trash, for example — and still fall victim.


"In reality, you have to go out into the world and do business," he said. "Around the margins there are things you can do, but it's really hard to make other people take as good a care of your information as you would yourself."

The centerpiece of Obama's proposal is a law that would make it easier for the government and private companies to share data on threats, and help one another to plug holes in computer code before hackers find them.

So just as the FBI might share information about a suspected bank robber with branches in a region, the Department of Homeland Security could alert companies to glitches in computer code that leave them exposed.

It's an approach Rep. C. A. Dutch Ruppersberger has long advocated. The Baltimore County Democrat focused on cybersecurity during his 12 years on the House Intelligence Committee.

"We've got to get this under control," he said.

But legislation — including the Cyber Intelligence Sharing and Protection Act, which Ruppersberger co-sponsored in 2013 — has stalled over concerns about privacy.


The bill, known as CISPA, would have created avenues for businesses and the government to share information about imminent attacks, and given legal protection to companies that hand over data or that use tips from the government to act on threats.

The bill passed the Republican House with support from many Democrats, but went nowhere in the then-Democratic Senate. Aides to Obama said they would recommend a veto if it reached his desk.

Privacy concerns have only intensified since National Security Agency contractor Edward Snowden revealed details of the agency's formidable snooping powers.

"In CISPA, you didn't have any privacy restrictions," said Mark Jaycox, an analyst with the Electronic Frontier Foundation. "You had pretty much a free transfer of information from private companies to the government."

Privacy campaigners pushed hard against the bill. When Ruppersberger reintroduced it this month, technology blogs lit up with headlines attacking the measure.

Ruppersberger is more concerned about communication in the other direction. Under current law, the NSA and other agencies can't share information on attacks they detect. He wants to free them to do so.


The main disagreement between Ruppersberger and Obama concerns the handling of personal data that is bundled with information about a hacking threat.

The president's proposal would require companies to strip out identifying information before passing it along. But Ruppersberger thinks cleansing the data might be too expensive for many smaller companies.

"Our bill is a voluntary bill of information-sharing," he said. "You've got to give incentives to the businesses so they will cooperate."

Thomas J. Donohue, head of the U.S. Chamber of Commerce, compared the challenge of cyberattacks to uncertainty over government budgets and the prospect of the Federal Reserve raising interest rates.

"What happened to Sony can happen to any business, organization, government agency or media outlet," he said last week in his State of American Business address. "Government and the private sector must work together on this challenge, and we are calling on the new Congress to pass a cybersecurity information-sharing bill without delay."

Some computer security researchers question how much the legislation would help.


Jonathan Katz, the director of the Cyber Security Center at the University of Maryland, said businesses already share much information among themselves when they catch a problem that might have widespread implications. And giving them wide legal protections to share information might end up encouraging companies to take security less seriously.

"Granting blanket protections from lawsuits for companies that are not following good cybersecurity practices is not the right approach," Katz said.

Avi Rubin, who studies and teaches computer security at the Johns Hopkins University, said he is relieved Obama is taking his field seriously. But he diagnosed a problem more fundamental than sharing information or legal protections.

He said many people who design software simply don't think enough about security. He said they need to be better trained.

"There are a lot of really, really bad systems out there, but I think even the good systems are vulnerable," Rubin said.

The federal government has been wary about private businesses taking the initiative against cyberattacks on their own.


Some companies have moved to use strong encryption to scramble information when it's being sent to them or when they are storing it, making it harder for hackers to steal data or use if they do get their hands on it. But after Apple and Google announced last year that they would encrypt data on their smartphones, FBI director James Comey called on the technology companies to leave open a hidden door so law enforcement could still access information on the devices.

Rubin said balancing the government's desire to help companies protect information while still being able to use it to fight crime is difficult, if not impossible.

"They want to be able to snoop on the communications of the bad guys, while at the same time, they need to protect the security of commerce and national infrastructure," Rubin said. "Unfortunately, they cannot have it both ways."

Significant hacks in 2014


November — Sony Pictures Enterntainment: Hackers said to be tied to North Korea raided the movie studio's files and derailed launch of Seth Rogen film "The Interview"

September — Home Depot: Attackers put tens of millions of credit card records at risk in one of the largest ever retail data heists

May — eBay: The online marketplace warned customers that potentially all of its 145 million active accounts had been breached

February — University of Maryland: Hackers breached 300,000 student, alumni and staff records.

Go online to explore the full database of Maryland data breaches

Source: Maryland Office of the Attorney General