Nervous System: The First Major Data Breach: 1984

Data breaches affecting millions of Americans are not a new phenomenon. David Kalat writes about the time in 1984 when over ninety million Americans had their credit histories exposed.

In June 1984, the New York Times reported that the credit histories of over ninety million Americans had been exposed. The scale of the compromise was staggering. It remains one of the largest identity-theft data breaches that the financial services industry has publicly acknowledged. The New York Times reporter, however, struggled to explain the event to the paper’s readers. The story turned on the theft of a computer password that was then posted to an electronic bulletin board. These were not familiar concepts in 1984.

The incident began at a Sears Roebuck & Co. store in Sacramento, California. When a customer wanted to buy merchandise on credit, store employees could check the customer’s credit history using a teletype terminal linked to the credit reporting agency, TRW Information Services. In order to access this terminal, store employees first had to input a numeric passcode. The code was written on a notepad, much as many users today write out passwords on sticky notes posted to their computers.

As data breaches go, the theft was decidedly low-tech. The use of password-based security depends on a longstanding and fundamental misalignment of interests. From the organization’s perspective, the numeric passcode was a critical element of data security, shielding the sensitive credit history information for tens of millions of consumers from any unauthorized eyes. Meanwhile, the end users of computer systems often perceive passwords to be a nuisance, a procedural hindrance to productivity. Users write out passwords, or share them, thinking them just an administrative hurdle to be jumped on the way to some other goal (such as checking a credit history in order to sell a refrigerator).

The thieves who copied the passcode from the store’s note posted the information to an electronic bulletin board. For the benefit of its readers in 1984, the reporter explained this was a “computer file accessible to subscribers by phone.” The code remained there for at least a month before an anonymous tipster informed TRW of the breach.

The credit company changed the password to prevent further harm. Worryingly, though, the ensuing investigation discovered that other passwords from other stores had ended up online as well. This had apparently occurred because some were printing the login credentials on the credit reports. The Akron Beacon Journal quoted one angry businessman as saying, “What you’re telling me is that anyone who goes through my garbage can use my password.” Left unsaid was the fact that the businessman in question had been discarding unshredded credit reports into his trash, exposing consumer credit histories to thieves along with his password.

Over the summer of 1984, TRW’s investigators found no evidence that fraudulent charges had resulted from these exposures. TRW’s investigators knew what to look for in part because they had experienced an incident just two years previously that had resulted in fraudulent charges. In that prior incident, two private investment agencies had used legitimate passwords to connect to TRW’s network, but for illicit purposes. A police investigation determined the agencies were harvesting the profiles of good credit risks and using the data to alter the histories of customers with bad credit histories so that they could obtain credit cards. The miscreants behind that scheme were caught and prosecuted, whereas the thief or thieves who stole the Sacramento store’s password were never identified.

Had the Sacramento thief been caught, it is unclear what the consequences may have been. Unlike the previous case, this theft did not appear to have resulted in any untoward activity—no one’s credit was apparently affected, and no merchandise was apparently purchased improperly. In the years before stricter computer crime laws, merely obtaining unauthorized access to confidential information was not necessarily illegal.

In 1986, the Computer Fraud and Abuse Act was passed to strengthen legal protections against such intrusions. Business leaders took computer security increasingly seriously, and a whole category of “cybersecurity” began to evolve in response.

In the years that have followed the TRW breach, the exposure of confidential consumer information has only increased in frequency and scale. Part of what made the TRW breach newsworthy in 1984 was its unusual, almost science-fictional curiosity. Sadly, password-based security has not materially improved, and hackers continue to breach systems using passwords that are too easily guessed, borrowed, or copied. The TRW breach and many subsequent similar incidents demonstrate the challenge of keeping sensitive and confidential information secure when those protections can be undermined by the habits and behavior of the least security-minded of the system’s users. In 1984, most people were unfamiliar with the ideas of computer security and online bulletin boards; but more than three decades later, it is still common to find passwords written out on notes.

The views and opinions expressed in this article are those of the author and do not necessarily reflect the opinions, position, or policy of Berkeley Research Group, LLC or its other employees and affiliates.

Read the latest Nervous System article. (subscription required)