10.1.1 Motivation

Everyone—from teenagers to CEOs—has to worry about the threat of data exposure. Stolen data is deliberately exposed for a variety of purposes, including:

• Hacktivism

• Whistleblowing

• Politics

• And more

(There are also cases of accidental exposure, which we discuss more in Chapter 13, “Cloud Breaches.”)

10.1.2 Doxxing

The concept of “doxxing”—revealing sensitive details about a person on the Internet—was one of the earliest forms of weaponized data exposure. Publishing a victim’s SSN, birth date, and other details could subject victims to identity theft and frustrating financial consequences. Cyberbullying is also facilitated by doxxing, since exposed contact information could be leveraged to make prank calls, send harassing messages, or even initiate death threats.

Any site that is used to host data can be leveraged for doxxing. For example, “pasting” sites allow anyone in the world to post arbitrary text; such sites are often used to doxx victims or leak sensitive data. Pastebin.com is one popular mainstream pasting site. There are plenty of legitimate uses for pasting sites, and many (including Pastebin.com) do not condone data leaks.

Over time, doxxing tactics became more sophisticated. “Hacktivists,” took the concept of doxxing and wielded it against corporations and other entities as a weapon. “Hacktivists have gone after everyone from foreign governments and corporations to drug dealers and pedophiles,” reported the Huffington Post. “Police departments, hospitals, small towns, big cities and states also have come under attack. Online activists have successfully frozen government servers, defaced websites, and hacked into data or email and released it online.”⁸

8. Jenni Bergal, “‘Hacktivists’ Increasingly Target Local And State Government Computers,” Huffington Post, January 11, 2017, https://www.huffingtonpost.com/entry/hacktivists-increasingly-target-local-and-state-government_us_587651e8e4b0f8a725448401.

Whistleblowers leveraged data exposure in order to incite change. Disgruntled employees leaked data to damage corporations and government agencies. Political operatives around the world published stolen data to impact diplomatic relations and influence elections.

Perpetrators quickly found that data exposure was an effective tool for influencing their targets, fueling even more breaches.

10.1.3 Anonymous

The “Anonymous” movement popularized the use of data exposure as a tool for driving change or exacting revenge.

In 2003, the earliest inklings of “Anonymous” emerged out of the 4chan imageboard website. (Particularly popular was 4chan’s “/b/” board, the host of random postings that was the genesis for “lolcats,” “rickrolling,” and countless other Internet memes.) On 4chan, users were free to post images, thoughts, and ideas under arbitrary usernames—or no name at all. If a person didn’t enter a specific name, his or her post would be automatically attributed to “Anonymous.”

As a result, countless posts on 4chan were attributed to the same name, “Anonymous,” giving a label to a wide and varied collection of postings produced by thousands of users. “Anonymous is not a single person, but rather, represents the collective whole of 4chan,” explains the site’s FAQ. “He is a god amongst men.”⁹

9. “FAQs: Who Is ‘Anonymous’?,” 4Chan.org, accessed March 16, 2018, https://www.4chan.org/faq#anonymous.

Anonymous grew to be a powerful god. Over the years, 4chan’s users joined forces to take collective action against other organizations online—often for political or social causes.

Anonymous rose to international fame in early 2008, when the collective launched its “Project Chanalogy” attacks against the Church of Scientology, after the church attempted to force YouTube to remove a leaked video featuring Tom Cruise. Incensed by the concept of Internet censorshop, Anonymous declared war and engaged in a variety of attacks, including doxxing. Hacktivists released stockpiles of the church’s “secret” internal documents, as well as contact information of key figures, subjecting the church leadership to endless prank calls and faxes.¹⁰

10. Tony Ortega, “DOX: The FBI’s 2008 Investigation of Anonymous and its Attacks on the Church of Scientology,” Underground Bunker, August 26, 2017, https://tonyortega.org/2017/08/26/dox-the-fbis-2008-investigation-of-anonymous-and-its-attacks-on-the-church-of-scientology; Ryan Singel, “War Breaks Out Between Hackers and Scientology: There Can Be Only One,” Wired, January 23, 2008, https://www.wired.com/2008/01/anonymous-attac; Mark Schliebs, “Internet Group Declares War on Scientology,” News.com.au, January 25, 2008, https://web.archive.org/web/20080128185211/ http://www.news.com.au/technology/story/0,25642,23107452-5014239,00.html.

As Anonymous gained followers and unleashed its wrath against a growing list of targets, the public struggled to wrap their minds around what, exactly, “Anonymous” was: A group? A movement? “It’s more like a stampeding herd,” observed the Guardian’s technology editor, Charles Arthur, “not quite sure what it wants but certain that it’s not going to put up with any obstacles, until it reaches an obstacle which it can’t hurdle, in which case it moves on to something else.”¹¹

11. David Leigh and Luke Harding, WikiLeaks: Inside Julian Assange’s War on Secrecy (London: Guardian, 2013), 207.

The herd—or whatever it was—frequently took up causes relating to equality and the free exchange of information, lashing out against perceived inequality, censorship, and antipiracy movements. Data exposure was a common tactic, often used alongside denial-of-service attacks to damage targets.

10.1.4 WikiLeaks

Exposed data may also be hosted by websites that are specifically designed to publish stolen data. WikiLeaks is one such service. Founded in 2006 by Julian Assange, WikiLeaks broke new ground in data exposure, incorporating new methods for hosting and marketing breached information. In an interview with Der Spiegel, Assange refers to the site as “a giant library of the world’s most persecuted documents. We give asylum to these documents, we analyze them, we promote them and we obtain more.”¹²

12. Michael Sontheimer, “We Are Drowning in Material,” Spiegel Online, July 20, 2015, https://www.spiegel.de/international/world/spiegel-interview-with-wikileaks-head-julian-assange-a-1044399.html.

Over the years, WikiLeaks grew from a nascent, Wikipedia-style site where anyone could submit or edit leaked material, to a sophisticated, redundant, highly connected global publishing syndicate. It gave anonymous sources confidence to share and expose documents that might otherwise have remained buried; it then fed breached data to reporters all over the world, bridging the arcane world of Internet geeks and the mainstream media. Within just a few years, WikiLeaks grew into a global powerhouse, used by data leakers all over the world to expose governments, corporations, politicial entities, and more.

Today, WikiLeaks offers would-be leakers:

• Anonymous submissions

• Reliable, resilient hosting platform

• Connections with the mainstream media

• Searchable database that enables readers to analyze information efficiently

Since WikiLeaks burst into the public spotlight, many similar sites have followed its example, leveraging similar techniques to spread large volumes of breached data around the globe.

10.1.5 Weaponization

Over time, data exposure perpetrators became increasingly savvy. Instead of releasing data all at once, they found they could expose data in small, carefully timed chunks, effectively creating a bad news campaign for their chosen target. Furthermore, they learned to create derivative data products that highlighted the most damaging information and presented it in ways that were attractive to the mainstream media and general audiences. The results were powerful and painful.

Sony Pictures Entertainment is one example of how a series of timed data releases can turn a nasty data exposure case into a PR nightmare.

10.2.1 Verify

The first step for responders in any potential data exposure case is to check that the exposed data is authentic and originated from your organization. If not, then the victim organization can simply point out that the data is not legitimate, which is a very strong defense. There is no reason to spend time, money, and effort on a data breach investigation if a breach never occurred in the first place.

Verification strategy varies depending on the type and volume of data stolen. Typically responders take a sample of the exposed data and compare it with internal databases to determine whether there is a match. Comparison can involve examining any or all of the following characteristics of the exposed data:

• Structure and format of stolen data (e.g., fields in databases, order, etc.)

• Filenames

• Cryptographic checksums

• Content

The trickiest cases are when exposed data dumps contain some legitimate content, in addition to some fake or doctored content. In the modern day and age, a few clicks can produce realistic-looking documents or alterations. Leaked data may be altered in subtle ways, to more effectively fuel media interest or incite public anger.

When appropriate, consider asking forensic analysts or IT staff to audit the leaked data using cryptographic checksums or other techniques, in order to proactively detect alterations. In some cases, exposed documents may even contain cryptographic signatures that can help reviewers authenticate them. For example, many mail servers (such as those run by Google) use DomainKeys Identified Mail (DKIM) signatures to cryptographically sign sent emails. DKIM signatures are included in the headers of received emails. Reviewers can use the signatures, along with the signer’s public key, to verify that the contents of the message were not altered and the email did actually originate from the sender’s listed domain.

Cryptographic signing can be a double-edged sword for anyone wishing to communicate off the record: On the one hand, it enables people to remotely verify the sender and content of messages, which is important for everyday decision making. On the other hand, messages that are cryptographically signed are difficult to repudiate for anyone who wishes to deny a statement after the fact.

If the authenticity of exposed data has not been confirmed, then it may be wise for the organization to publicly point this out. Remember that journalists have an uphill battle determining whether leaked material is authentic, particularly when it is provided by an anonymous source with no reputation. Unlike the breached organization itself, reporters have no data source to compare with the leaked data in order to determine whether it is legitimate. Forensic analysis of documents can reveal evidence of forgery or modification, but typically cannot rule either one out.

Even if the exposed data is authentic, consider whether it is unique to your organization. In cases involving intellectual property or email, this may be obvious. Other times, the exposed data may consist of personally identifiable information or other records that could exist at any number of institutions. The data could also have been stolen from a supplier or affiliate. Don’t assume that a database originated from a specific organization just because it is labeled as such; attackers may try to fool people into believing a breach has occurred in order to accomplish their own objectives.

10.2.2 Investigate

Investigating a data exposure breach is important for identifying the perpetrator, preventing future leaks, and scoping the breach. Response teams need to preserve evidence as quickly as possible, especially because perpetrators may be actively working to hide their tracks.

Knowing who perpetrated a data exposure breach can help responders properly scope the breach and ensure that it has truly been stopped. Strategies for response differ wildly depending on who caused a breach and how it occurred. For example, if the source of the data was an authorized insider, then HR/legal should be engaged in order to remove access and potentially take legal steps. On the other hand, if the leak was caused by an outside hacker, then responders might need to clean malware off the network, change passwords, and focus on other technical response measures.

When tracking down the perpetrator, there are two obvious places to start: the origin or the hosting provider(s) used to publish the data.

10.2.3 Data Removal

When data is exposed, most responders immediately attempt to remove it from the Internet as quickly as possible. As we will see, this can be a quick and easy process or nigh impossible, depending on how the data has been published.

10.2.4 Public Relations

Data exposure is by nature a public affair. Typically, perpetrators seek to damage the victims’ reputation, and so having a proactive communications campaign is key.

In exposure cases, PR teams should consider:

• Victims: Which individuals or organizations are primarily impacted by the exposure? All too often, it is not just the breached organization that suffers negative publicity and reputational damage.

• Spin: The interpretation of the data. Often, attackers are seeking to sway public opinion by selectively publishing or modifying the data. They may also carefully time data releases to influence events.

• Attacker Reaction: How attackers may react to press releases or other responses by the victim organization. In some cases, the attackers may have no way to publicly speak after releasing the data. In other cases, they may taunt, threaten, or further embarrass the organization.

In this section, we will provide tips and examples for handling victim communications, spin, and attacker reactions. (For a detailed discussion of data breach crisis communications, see §§ 3.2 and 3.3.)

10.3.1 Manning’s Crime

In January 2010, Army intelligence analyst Bradley Manning⁵⁰ sat at a keyboard at a U.S. military base outside Baghdad, lip-syncing to Lady Gaga. Little did anyone know that as the pop music played, Manning quietly copied hundreds of thousands of secret documents from the classified military network to the rewritable CD in the drive of his government-owned laptop.

50. Later, Manning transitioned to female and renamed herself Chelsea Manning. For the purposes of this book, we will refer to Manning with the name and gender that she portrayed at the time of the events described, to match documentation from the time.

As an intelligence analyst, Manning analyzed all sources of available information to create “work products,” such as “maps and charts to conduct predictive analysis based on statistical trends.”⁵¹ Manning therefore had unlimited access to databases containing detailed Iraq and Afghanistan war records, including the “Significant Activities” (SIGACTs) records, which he described as essentially a “daily journal” of events.⁵²

51. Bradley Manning, “PFC Manning’s Statement Redacted,” Google Docs, January 29, 2013, at 6, https://docs.google.com/file/d/0B_zC44SBaZPoQmJUYURBUnBycUk/edit.

52. Manning, “PFC Manning’s Statement,” 4.

Over time, Manning became increasingly disturbed by the information he digested. Ultimately, he decided he needed to release it to the public. “I believed that if the general public, especially the American public, had access to the information . . . this could spark a domestic debate on the role of the military and our foreign policy in general, as well as it related to Iraq and Afghanistan,” Manning later explained. “I also believed a detailed analysis of the data over a long period of time, by different sectors of society, might cause society to re-evaluate the need, or even the desire to engage in . . . operations that ignored the complex dynamics of the people living in the affected environment each day.”

Manning had direct access to the U.S. military’s classified network, SIPRNet. For security purposes, SIPRNet was “air gapped,” meaning that it was not connected to the Internet. However, it soon became clear that, with physical access, a privileged insider could exfiltrate practically anything.

Due to dust and heat, computer equipment at the Iraqi military bases was often unreliable. Manning and his fellow analysts experienced frequent crashes that had caused them to lose information.⁵³ The analysts were instructed to keep backups of their work product. As a result, Manning developed a process in which he copied the data he frequently needed, as well as his work product, to multiple locations, including CD-RW disks that he kept in a conference room.

53. Manning, “PFC Manning’s Statement,” 7.

At the end of his shift on January 8, 2010, Manning took a backup CD-RW from the conference room, put it in the cargo pocket of his uniform, and walked out of the secure military facility. “The air gap has been penetrated,” Manning later confessed. The CD-RW contained more than 482,832 reports from the Iraq and Afghanistan wars. Manning didn’t have a specific plan at the time, but he copied the stolen data to his personal computer and ultimately brought it to the United States while on a two-week leave.

After reaching out unsuccessfully to reporters at the New York Times and the Washington Post, Manning visited a Barnes and Noble store, where he used the public wireless network and uploaded the documents to WikiLeaks, a site dedicated to publishing leaked and stolen data. Manning later described a feeling of relief: “I felt I had accomplished something that allowed me to have a clear conscience based upon what I had seen, read about and knew were happening in both Iraq and Afghanistan every day.”⁵⁴

54. Manning, “PFC Manning’s Statement,” 14.

The volume of classified data that Manning stole was unprecedented, at least in the public eye: 391,832 reports on the Iraqi war (2004–9),⁵⁵ 91,000 documents on the war in Afghanistan (2004–10),⁵⁶ hundreds of files on Guantanamo Bay detainees,⁵⁷ and 251,287 U.S. diplomatic cables.⁵⁸

55. “The Iraq War Logs,” WikiLeaks, accessed March 16, 2018, https://wikileaks.org/irq (accessed March 16, 2018).

56. “Afghanistan,” WikiLeaks, accessed March 16, 2018, https://wikileaks.org/afg.

57. D. Leigh, J. Ball, I. Cobain, and J. Burke, “Guantánamo Leaks Lift Lid on World’s Most Controversial Prison,” Guardian, April 25, 2011, https://www.theguardian.com/world/2011/apr/25/guantanamo-files-lift-lid-prison.

58. “Cablegate: 251,287 Diplomatic Cables, Nearly All from 2003 to 2010,” WikiLeaks, accessed March 16, 2018, https://wikileaks.org/plusd/?qproject[]=cg&q=#result.

10.3.2 Caught!

Manning was caught—but not because investigators successfully tracked down the source of the leak. Although the military network was reportedly monitored, Manning later described a culture of pervasive apathy: “I even asked the NSA guy if he could find any suspicious activity coming out of local networks . . . he shrugged and said . . . ‘its [sic] not a priority.’”⁵⁹

59. Evan Hansen, “Manning-Lamo Chat Logs Revealed,” Wired, July 13, 2011, https://www.wired.com/2011/07/manning-lamo-logs.

Manning might have gotten away with his crime, but, feeling isolated, he reached out to reformed cybercriminal Adrian Lamo online and confessed. Shortly thereafter, Lamo reported Manning to the DoD.⁶⁰ Days later, Manning was arrested in Iraq and sent to a U.S. military prison.

60. Ed Pilkington, “Adrian Lamo on Bradley Manning: ‘I Knew My Actions Might Cost Him His Life,’” Guardian, January 3, 2013, https://www.theguardian.com/world/2013/jan/03/adrian-lamo-bradley-manning-q-and-a.

10.3.3 Cooperation: A New Model

WikiLeaks suddenly found itself under heavy pressure from the world’s largest military power—and it was wildly unmatched. Manning’s arrest sparked an international manhunt for Julian Assange, who now held a treasure trove of classified U.S. military records and was hell-bent on releasing it.

Investigative journalist Nick Davies observed that Assange “was facing four separate lines of attack”:⁶³

63. Leigh and Harding, Julian Assange’s War on Secrecy (London: Guardian, 2013), 96–97.

The first was physical—that someone would beat him up or worse. The second was legal—that Washington would attempt to crush WikiLeaks in the courts. The third was technological—that the US or its proxies would bring down the WikiLeaks web site. The fourth and perhaps most worrisome possibility was a PR attack—that a sinister propaganda campaign would be launched, accusing Assange of collaborating with terrorists.

Convinced that the yet-to-be-revealed cables were “the biggest story on the planet,” Davies reached out to WikiLeaks, hoping to convince Assange to partner with the Guardian. Under normal circumstances, Assange viewed the media with suspicion and as competitors. Davies knew that Assange would not be inclined to simply hand over his biggest scoop to the much-derided “mainstream media.” But he also knew that Assange was vulnerable. Partnering with major media outlets would provide WikiLeaks with legitimacy, as well as access to more resources.

The Guardian itself was also vulnerable. Headquartered in the United Kingdom, it was subject to “hostile” media laws. By publishing the leaked U.S. cables, the Guardian could find itself facing an injunction by the U.S. embassy, which would halt publication. As Assange revealed the full extent of the leaked databases—including the Iraq and Afghanistan war logs, as well as the Guantanamo files—the risk of pressure or retaliation by the United States seemed ever more real.⁶⁴

64. Leigh and Harding, Julian Assange’s War on Secrecy, 97–101.

Weighing the options, Davies proposed that WikiLeaks partner with the Guardian and other respected papers to publish the material simultaneously. Assange agreed, and the group pulled in the New York Times and (eventually) Berlin-based Der Spiegel. Assange requested that the New York Times publish five minutes ahead of the other papers, to reduce the risk of Manning being convicted of espionage.⁶⁵

65. Leigh and Harding, Julian Assange’s War on Secrecy, 100–101.

Thus began an unlikely partnership: the international desperado Assange, working with three of the most respected global media outlets. As described by the Guardian staff, it was “a new model of cooperation aimed at publishing the world’s biggest leak.”⁶⁶ And it worked.

66. Leigh and Harding, Julian Assange’s War on Secrecy, 98.

10.3.4 Drowning in Data

Manning’s leak was a vast and detailed record of war events and diplomatic correspondence. It was far more than any one person could possibly digest, and much of the material required specialized knowledge to fully understand. The reporters quickly discovered that having possession of data wasn’t the same as actually knowing anything.⁶⁷ In addition to making sense of the material, the media outlets also had to authenticate and redact it.

67. Leigh and Harding, Julian Assange’s War on Secrecy, 106.

The mainstream media brought in experts who analyzed the data and uncovered shocking, previously unknown facts about both wars, as well as scandalous diplomatic correspondence. They established teams of analysts, including experts in the Iraq and Afghanistan wars, in order to verify the authenticity of the data and digest it. The Guardian set up a “war room” at its London headquarters. It quickly built a searchable database to facilitate internal analysis. Reporters flew in from around the world, including Islamabad, New York, and Germany. Manning didn’t know it, but as he suffered in prison, world-renowned journalists pored over the documents he had leaked.

The New York Times likewise set up a war room at its facilities and provided assistance analyzing the data. Der Spiegel’s reporters turned out to be vital, as they had access to the German federal parliament’s investigation into Afghanistan and were therefore able to confirm the authenticity of many of the details in the leaked documents.⁶⁸

68. Leigh and Harding, Julian Assange’s War on Secrecy, 104–10.

The sheer volume of data that WikiLeaks and its partners analyzed and published was unprecedented. “In Ellsberg’s day, it took nearly a year to photocopy the 7,000-page Pentagon papers and most of another year to get excerpts published,” reflected Time magazine. “The push-button model of WikiLeaks compresses the timeline radically and permits the universal broadcast of voluminous archives in full, so much so that leak hardly seems to suffice as a metaphor.” Indeed, it wasn’t so much a leak as a flood.⁶⁹

69. Barton Gellman, “Person of the Year 2010: Runners-Up: Julian Assange,” Time, December 15, 2010, http://content.time.com/time/specials/packages/article/0,28804,2036683_2037118_2037146,00.html.

The teams of analysts distilled the material into powerful articles, infographics, and catchy sound bites, which were powerful media products.

10.3.5 Redaction

Much of the data leaked in the Manning breach contained identifying information that could place war informants or other civilians at risk of harm. The reporters were deeply concerned about the safety of people mentioned in the leaked documents, such as Iraqi and Afghani informants who had worked with U.S. operatives—especially because the leaked databases were simply reports written up by U.S. military personnel, who themselves were fallible. “I thought about the American bases I’d visited, the Afghan characters I’d met in little villages and towns,” said New York Times reporter Declan Walsh. “There was no way I’d like to put them at risk on the basis of a document prepared by some wet-behind-the-ears American GI, who may or may not have correctly understood the information they were receiving.”

While the mainstream media was planning to publish only a handful of documents, Assange at first made it clear that WikiLeaks would publish the entire contents of the leak. The reporters had a hard time convincing him that redaction was important “Well, they’re informants,” Assange once said callously at a dinner. “So, if they get killed, they’ve got it coming to them.”⁷⁰

70. Leigh and Harding, Julian Assange’s War on Secrecy, 111.

Eventually, however, the reporters convinced Assange of “the logic of redaction.” Assange refrained from publishing 15,000 files from the Afghanistan war logs that were “most likely to contain identifying details.” After WikiLeaks was called to task for not fully redacting the material that it did publish, Assange used a software program to automatically redact names from the Iraqi war logs.⁷¹

71. Leigh and Harding, Julian Assange’s War on Secrecy, 112–13.

The result was that WikiLeaks developed new technical processes for redacting large volumes of material. Unfortunately, the redaction was undermined when the full archive was accidentally exposed—but it nonetheless established a precedent for future breaches.

10.3.6 Data Products

In order for the public to understand the significance of the exposed data, it had to be digested and turned into data products. Reporters around the globe worked tirelessly to distill the vast volumes of data into bite-sized chunks that could be absorbed by a mainstream audience. The result was a series of pointed articles that highlighted key findings from analysis of the exposed data. The Guardian even pulled in a “data visualizer” to produce an interactive graphical display for readers.⁷⁴

74. Leigh and Harding, Julian Assange’s War on Secrecy, 104–6

At the same time, WikiLeaks prepared to publish a massive, searchable database of the redacted source material, which the public could examine themselves. This searchable database is an important feature of WikiLeaks that facilitates widespread and ongoing analysis of the data to this day.

10.3.7 Timed and Synchronized Releases

When the material was finally released (in a series of synchronized campaigns), it triggered protests and debate within the United States, sparked anger around the world, and caused what one foreign minister referred to as “the 9/11 of world diplomacy.”⁷⁵

75. Leigh and Harding, Julian Assange’s War on Secrecy, 202.

But publishing the cables was no easy feat. WikiLeaks and its partners deliberately synchronized releases to minimize risk to any one party, while maximizing attention. The global media partners coordinated extensively to synchronize their launch time, but tripped up when early copies of Der Spiegel were accidentally distributed.

Despite the chaotic launch, the publication was a massive success, from a readership standpoint. The Guardian experienced “remarkable traffic—the 4.1 million unique users clicking on it that day was the highest ever. Record numbers would continue, with 9.4 million browsers viewing WikiLeaks stories between 28 November and 14 December.”⁷⁶

76. Leigh and Harding, Julian Assange’s War on Secrecy, 202.

On July 25, 2010, WikiLeaks published the Afghan war documents. The Guardian, the New York Times, and Der Spiegel all published reports on the same day. The data dump, which The Guardian hailed as “one of the biggest leaks in US military history,” painted a dayby-day picture of the Afghanistan conflict as it unfolded, for a six-year period between 2004 and 2009.⁷⁷

77. Nick Davies and David Leigh, “Afghanistan War Logs: Massive Leak of Secret Files Exposes Truth of Occupation,” Guardian, July 25, 2010, https://www.theguardian.com/world/2010/jul/25/afghanistan-war-logs-military-leaks.

Then, on October 22, 2010, WikiLeaks published the Iraq war logs, after having proactively shared them with The Guardian, the New York Times, Der Spiegel, Le Monde (French), and others. The trove of documents—which at 391,832 cables was four times as large as the Afghan war logs—was once again hailed as the “[b]iggest document leak in history” by the Bureau of Investigative Journalism.⁷⁸ The media highlighted juicy revelations, such as the discovery that the total number of deaths was 30,000 higher than the official figures reported by the United States.⁷⁹

78. Rachel Oldroyd, “In Video: The Biggest Document Leak in History Exposes Real War,” Bureau of Investigative Journalism, October 21, 2010, https://web.archive.org/web/20130429122404/ http://www.iraqwarlogs.com/2010/10/21/the-leaked-us-files-and-what-they-mean/.

79. M. Chulov, C. McGreal, L. Eriksen, and T. Kington, “Iraq War Logs: Media Reaction Around the World,” Guardian, October 28, 2010, https://www.theguardian.com/world/2010/oct/28/iraq-war-logs-media-reaction.

The impact of the Iraq and Afghanistan war logs was dwarfed, however, by “Cablegate,” the subsequent publication of more than a quarter of a million U.S. diplomatic cables. Released on November 28, 2010, the cables contained the “unvarnished” internal reports from U.S. diplomats around the world. “Hillary Clinton and several thousand diplomats around the world are going to have a heart attack,” predicted Manning.

“The German chancellor is referred to as Angela ‘Teflon’ Merkel. Karzai is said to be ‘driven by paranoia.’ North Korean leader Kim Jong Il is said to suffer from epilepsy. Libyan leader Moammar Gadhafi’s full-time nurse is called a ‘hot blond,’” summarized NPR, after the cables’ release.⁸⁰

80. Dina Temple-Raston, “WikiLeaks Release Reveals Messier Side of Diplomacy,” NPR, November 28, 2010, https://www.npr.org/2010/11/28/131648175/wikileaks-releases-huge-cache-of-u-s-diplomatic-cables.

In addition to candid, often offensive observations of world leaders, the cables included startling revelations, such as the fact that U.S. diplomats were engaged in extensive spying operations, gathering intimate details on important geopolitical figures such as U.N. leadership, including highly personal information such as credit card numbers, passwords, fingerprints, and even DNA.⁸¹

81. David Leigh, “US Embassy Cables Leak Sparks Global Diplomatic Crisis,” Guardian, November 28, 2010, https://www.theguardian.com/world/2010/nov/28/us-embassy-cable-leak-diplomacy-crisis.

Over the following years, WikiLeaks grew increasingly savvy and timed data dumps in order to create very effective media campaigns.

10.3.8 Takedown Attempts Backfire

While publishing the Manning data, WikiLeaks was hit by a massive distributed denial-of-service attack, which swamped its servers. Assange and his team quickly moved WikiLeaks’ main page into the Amazon cloud, which was capable of withstanding the attack. However, Senator Joe Lieberman called Amazon, pressuring the company into shutting down WikiLeaks’ hosting. Amazon complied, canceling WikiLeaks’ service with a terse note that stated the organization had violated Amazon’s terms of service.⁸³

83. Leigh and Harding, Julian Assange’s War on Secrecy, 205.

“The dominoes then started to fall,” described Guardian reporters Leigh and Harding.⁸⁴

84. Leigh and Harding, Julian Assange’s War on Secrecy, 206.

WikiLeaks’ DNS provider, EveryDNS, removed the organization’s domain name (wikileaks.org) and email pointers from its systems, forcing WikiLeaks to switch to an alternate domain: wikileaks.ch.

The next day, PayPal suspended WikiLeaks’ account, due to a “violation of the PayPal Acceptable Use Policy.” Shortly thereafter, Assange’s Swiss bank closed his accounts, on the basis that he did not actually live in Geneva, as required. Mastercard and Visa likewise shut down WikiLeaks’ accounts. Without the ability to accept donations, WikiLeaks was cut off from its financial lifeline.⁸⁵

85. Leigh and Harding, Julian Assange’s War on Secrecy, 206.

“Whole sections of WikiLeaks’ physical and human infrastructure kept disappearing,” described Assange, years later. “[T]he banks placed us under extralegal financial blockades while communication companies, foreign governments, and our human networks were pressured by Washington.”⁸⁶

86. Assange, When Google Met WikiLeaks, 14.

Under fire, WikiLeaks was forced to react quickly and build a more resiliant data distribution and hosting architecture, relying on web proxies and a network of mirror sites. “[WikiLeaks] had no financial defense; it had no legal defense; and it had no political defense,” explained Assange. “Its defenses were purely technical. That meant a system that was distributed at its front with many domain names, and a fast ability to change those domain names, a caching system, and, at the back, tunneling through the Tor network to hidden services.”⁸⁷ Shortly thereafter, WikiLeaks began accepting donations via Bitcoin, as a means of circumventing banking restrictions.⁸⁸

87. Assange, When Google Met WikiLeaks, 73–74.

88. Nermin Hajdarbegovic, “Assange: Bitcoin and WikiLeaks Helped Keep Each Other Alive,” CoinDesk, September 16, 2014, https://www.coindesk.com/assange-bitcoin-wikileaks-helped-keep-alive.

10.3.9 Distribution

As news of the Manning leaks spread, WikiLeaks gained supporters. Hordes of journalists followed WikiLeaks on social media, excitedly combing through new releases and distributing digests to the masses. Assange gained not only fame but inspired legions of passionate followers. As the embattled nonprofit was struggling to keep its servers up and running, John Perry Barlow, founder of the Electronic Frontier Foundation posted a resounding call to action on Twitter: “The first serious infowar is now engaged. The field of battle is WikiLeaks. You are the troops.”⁸⁹

89. John Perry Barlow (@JPBarlow), “The first serious infowar is now engaged. The field of battle is WikiLeaks. You are the troops,” Twitter, December 3, 2010, 1:32 a.m., https://twitter.com/jpbarlow/status/10627544017534976.

Anonymous heeded the battle cry. The stampeding herd echoed Barlow’s words and issued their own call to action:⁹⁰

90. Errisian Cacaphony, “A for Assange: Operation Avenge Assange,” YouTube, 1:38 min, posted December 8, 2010, https://www.youtube.com/watch?v=fUfEoyxLJEQ; “4Chan Launches ‘Operation Avenge Assange,’ Targets Julia Gillard,” Pedestrian TV, December 6, 2010, https://www.pedestrian.tv/news/4chan-launches-operation-avenge-assange-targets-julia-gillard.

Julian Assage deifies everything we hold dear. He despises and fights censorshop constantly. . . . Now, Julian is the prime focus of a global manhunt. Governments across the world are baying for his blood, politicians are up in arms about his recent leak. . . . Anonymous has a chance to kick back for Julian.

The inspiring lead-in was followed by a seven-point list of specific action items. Supporters were called upon to boycott PayPal, spread the leaked cables, vote for Assange as the Time magazine Person of the Year, and organize community marches, among other activities.⁹¹ Anonymous quickly pointed their cannons at Visa and Mastercard, crippling both companies’ websites. They also targeted PayPal—with only limited success—and attacked the websites of WikiLeaks opponents Senator Joe Lieberman, Sarah Palin, and others.⁹²

91. “4Chan Launches.”

92. Esther Addley and Josh Halliday, “WikiLeaks Supporters Disrupt Visa and MasterCard Sites in ‘Operation Payback’,” Guardian, December 9, 2010, https://www.theguardian.com/world/2010/dec/08/wikileaks-visa-mastercard-operation-payback.

Due to the chaotic and disorganized nature of Anonymous, the group’s assault on payment providers was short-lived. It did, however, garner international press and demonstrate support for WikiLeaks and Assange. “The event was something new,” wrote the Guardian team, “the internet equivalent of a noisy political demonstration.”⁹³ Although Anonymous had been “demonstrating” for years, Operation Avenge Assange took them—and WikiLeaks—to a whole new level of publicity.

93. Leigh and Harding, Julian Assange’s War on Secrecy, p. 208.

Assange handily won the Time magazine readers’ choice for Person of the Year in 2010.⁹⁴ Using his newfound power, he stoked the flames of media attention. He made it clear that more releases would follow and that he wasn’t just targeting governments—he intended to aggressively go after corporate America.

94. Megan Friedman, “Julian Assange: Readers’ Choice for TIME’s Person of the Year 2010,” Time, December 13, 2010, http://newsfeed.time.com/2010/12/13/julian-assange-readers-choice-for-times-person-of-the-year-2010.

“Early next year, Julian Assange says, a major American bank will suddenly find itself turned inside out,” reported Forbes in late 2010. “Tens of thousands of its internal documents will be exposed on WikiLeaks.org with no polite requests for executives’ response or other forewarnings. The data dump will lay bare the finance firm’s secrets on the Web for every customer, every competitor, every regulator to examine and pass judgment on.”⁹⁵

95. Andy Greenberg, “WikiLeaks’ Julian Assange Wants to Spill Your Corporate Secrets,” Forbes, November 29, 2010, https://www.forbes.com/sites/andygreenberg/2010/11/29/wikileaks-julian-assange-wants-to-spill-your-corporate-secrets/.

WikiLeaks emerged from the Manning breach with a vastly expanded public profile and social media following. The result was a powerful new distribution model, in which WikiLeaks was able to feed information about new releases directly to legions of journalists and the public.

10.3.10 Punishment Backfires

The ensuing national debate illustrates how punishing the source of a data leak can have mixed consequences. The U.S. government sought to make Manning an example in order to discourage future leakers. He was moved to a high-security facility at Quantanimo, Virginia, where he was forcibly isolated for 23 hours a day, and barred access to clothing for extended periods of time.⁹⁶

96. “Bradley Manning Will Be Credited 112 Days for Horrendous Stay at Quantico,” RT: US News, January 8, 2013, https://www.rt.com/usa/manning-wikileaks-sentence-pretrial-581.

Proponents of the press and civil rights activists condemned Manning’s harsh treatment. “Bradley Manning deserves a medal,” wrote Guardian reporter Glenn Greenwald, as Manning awaited trial.⁹⁷ “[T]hese proceedings reveal the US government’s fixation with extreme secrecy, covering up its own crimes, and “intimidating future whistleblowers.”

97. Glenn Greenwald, “Bradley Manning Deserves a Medal,” Guardian, December 14, 2011, https://www.theguardian.com/commentisfree/2011/dec/14/bradley-manning-deserves-a-medal.

Ultimately, Manning was sentenced to 35 years in prison—the longest-ever sentence in the United States for a data leak. The ACLU’s Ben Wizner remarked that it was “a sad day for all Americans who depend on brave whistleblowers and a free press for a fully informed public debate . . . When a soldier who shared information with the press and public is punished far more harshly than others who tortured prisoners and killed civilians, something is seriously wrong with our justice system.”⁹⁸

98. Julie Tate, “Bradley Manning Sentenced to 35 Years in WikiLeaks Case,” Washington Post, August 20, 2013, https://www.washingtonpost.com/world/national-security/judge-to-sentence-bradley-manning-today/2013/08/20/85bee184-09d0-11e3-b87c-476db8ac34cd.

Others lauded the strong sentence. “The message won’t be lost for everyone in the military,” said Steven Bucci of the Heritage Foundation. “When you sign a security clearance and swear oaths, you actually have to abide by that. It is not optional.”⁹⁹

99. Tate, “Bradley Manning Sentenced.”

In January 2018, Manning’s sentence was commuted by President Barak Obama—a parting gift as he left office. According to a senior administration official, the President took into account Manning’s expression of remorse, and felt that the time already served was “sufficient punishment for the serious crimes she committed.”¹⁰⁰ Manning (who changed her gender while in prison) took her first steps as a free woman on May 17, 2017.¹⁰¹ In 2018, she ran for the U.S. Senate under her new name, Chelsea Manning.¹⁰²

100. Jordan Fabian, “Obama Commutes Chelsea Manning’s Sentence,” Hill, January 17, 2017, http://thehill.com/homenews/administration/314663-obama-commutes-chelsea-mannings-sentence.

101. Bill Chappell, “Chelsea Manning, Once Sentenced to 35 Years, Walks Free After 7 Years,” NPR, May 17, 2017, https://www.npr.org/sections/thetwo-way/2017/05/17/528731790/after-serving-7-years-of-a-35-year-sentence-chelsea-manning-to-walk-free.

102. Ed Pilkington and Martin Pengelly, “Chelsea Manning Announces Run for US Senate with Video on Twitter,” Guardian, January 14, 2018, https://www.theguardian.com/us-news/2018/jan/13/chelsea-manning-democrat-us-senate-maryland.

10.3.11 Copycats

The techniques leveraged by WikiLeaks and its mainstream media partners in the Manning breach served as a model for future data hosts and journalists who sought to publish sensitive data leaks. For example, years later the unprecedented Panama Papers breach was leaked to a German newspaper, Suddeutsche Zeitung. After reviewing a sample of the data, the newspaper reached out to the ICIJ, which had experience coordinating large data leaks. Much like in the Manning case, the ICIJ built a searchable database of the documents in order to facilitate analysis by experts. The ICIJ then shared the material with 370 journalists from more than 100 media outlets, based in 76 countries.¹⁰³ The Guardian and others established war rooms in order to analyze the monumental data trove.

103. International Consortium of Investigative Journalists, “Giant Leak of Offshore Financial Records Exposes Global Array of Crime and Corruption,” April 3, 2016, https://www.icij.org/investigations/panama-papers/20160403-panama-papers-global-overview.

The media partners distilled the Panama Papers leak into a myriad of powerful data products, including a searchable database, interactive relationship diagrams, and even a choose-your-own adventure game called “Stairway to Tax Heaven,” which enabled readers to digest the exposed data in novel ways.¹⁰⁴ On Sunday, April 3, 2016, the ICIJ and partner organizations published the first articles based on the Panama Papers leak, in a media blitz that was carefully coordinated to maximize attention.

104. Organized Crime Corruption and Reporting Project, “Offshore Leaks Database,” accessed March 18, 2018, https://www.occrp.org/en/panamapapers/database; International Consortium of Investigative Journalists, “Interactive Game: Stairway to Tax Heaven,” accessed March 18, 2018, https://www.icij.org/investigations/panama-papers/stairway-tax-heaven.

10.3.12 Consequences

When the dust had settled, one thing was clear: Bradley Manning changed WikiLeaks, and WikiLeaks changed the world.

The “megaleak” (as WikiLeaks founder Julian Assange later called it) jump-started WikiLeaks as a global distribution outlet. They say what doesn’t kill you makes you stronger, and that certainly held true for WikiLeaks in the Manning case. Once WikiLeaks reached that critical level of fame, it had enough followers to easily command attention for future leaks.

“The government has recognized that WikiLeaks is not an event—it is a capability,” said New York University scholar Clay Shirky. “[A]nybody who can get material out of a classified system can now publish it worldwide in a way that can’t be redacted or removed.”¹⁰⁵

105. Gellman, “Person of the Year 2010.”

The leaks demonstrated that even a global powerhouse as mighty as the U.S. government couldn’t stop the publication of leaked data. The world emerged with a new process for digesting and distributing stolen information, one that even large corporations and government agencies couldn’t subvert. It set an example for future would-be leakers, as well as journalists and hosting providers seeking to expose information. The Manning leak represented a key turning point for data breaches because it:

• Showed that data exposure could have a deep impact on a breached organization, as well as far-reaching consequences that rippled around the world. This further encouraged would-be leakers (as well as extortionists, as we will see in Chapter 11, “Extortion”).

• Demonstrated that the “insider threat” was real. No longer could organizations focus on securing their external perimeter (largely ignoring internal security, as so many organizations did). The Manning leak spurred a wave of investment to guard against inside attackers.

• Spurred WikiLeaks to develop resilient hosting and partnerships with the mainstream media. This paved the way for the megaleaks phenomenon, which dramatically amplified the impact of exposure attacks.

• Brought huge attention to WikiLeaks, significantly raising the profile of both the organization and its founder, Julian Assange. This turned WikiLeaks into a powerful data distribution machine because mainstream reporters (and the general public) followed his communications and new releases in droves.

Suddenly, vast volumes of data could be leaked and picked apart by journalists around the world. Attackers could selectively release or highlight certain data in order accomplish specific objectives—whether political, economic, or financial. “These megaleaks . . . they’re an important phenomenon,” reflected Assange. “And they’re only going to increase.”¹⁰⁶

106. Greenberg, “WikiLeaks’ Julian Assange.”

For breach responders, the lessons from the Manning case were powerful:

• Any and all data stored digitally is at risk of exposure.

• Exposed data can spread very quickly to reach a mainstream audience.

• Large volumes of exposed information may be distilled into powerful data products.

• Redaction isn’t guaranteed even when attempted.

• Attempting to take down the data against a hosting provider’s will can result in greater publicity and empower the host (i.e., the Streisand Effect).

• Punishing the perpetrator can (surprisingly) build public sympathy for him or her.

• Once data is exposed, there is a good chance it will be available on the Internet permanently (particularly if it is interesting).

• Data leaks can have extensive and unpredictable consequences, not just for the breached organization but for anyone whose information has been included in the exposed repository.