Oldest Computer PII Data Loss Uncovered

The guys at DataLossDB.Org ran a user contest looking for the oldest reported instances of personally identifiable information that was stolen or lost by an organization that would, under today’s standards, have to be disclosed according to law. As it turns out, the oldest instance was that of patient records disappearing from a Los Angeles hospital for the insane in 1903. But the oldest computer incident found relates to a hospital that suffered a breach via a phone line by hackers from Milwaukee in 1983. It involves a VAX 11-780 by Digital Machine corp.

That article is online courtesy of Time Magazine here:

One Friday morning last June, Chen Chui, systems manager of the hospital’s medical physics computer service, discovered to his great astonishment that a Digital VAX 11/780 computer, which monitors the radiation treatment for 250 patients, had inexplicably failed during the night. Looking into the machine’s log, he found that a file of billing records worth about $1,500 was missing and that passwords had been issued to five unauthorized accounts. Chui deleted the new names and took the extra precaution of replacing all the passwords for those authorized to change patient records.

Chui hoped that that would be the last of it. It was not. After the weekend he discovered that someone had made contact with the computer through a telephone hookup and introduced a new program: whenever a legitimate user typed in his password, the code name was immediately sent to the intruder. “It was panic,” says Dr. Radhe Mohan, director of the computer service. “Someone was up to big mischief that could have conceivably caused harm.”

Sloan-Kettering officials called the New York City police, the FBI and New York Telephone security, which tapped the phone lines connected to the machine. Then Chui tried to reach the intruders by leaving messages in their computer terminals. “You have done some harm to the system,” read one plea. “Please call us and help us repair the damage.” About an hour after the message went out, someone called back. “He said he was sorry,” recalls Chui. “But when we asked how he got into the system he refused to answer.”

Over the next two months there were about 20 other calls to the computer; the most recent took place on Aug. 11. In July the hospital received a tip identifying two young men in the Milwaukee area as the source of the trouble. The two were innocent, but the Milwaukee connection turned out to be the break that police needed. For months, FBI agents had been tracking the activities of a loosely organized gang of computer enthusiasts in and around Milwaukee who call themselves “the 414s” after that city’s telephone area code. Using home computers connected to ordinary telephone lines, they had been breaking into computers across the U.S. and Canada, including one at a bank in Los Angeles, another at a cement company in Montreal and, ominously, an unclassified computer at a nuclear weapons laboratory in Los Alamos, N. Mex.

What a shock that the Los Alamos labs had such crappy cyber security back then too. Check out the rest of the contest results over at DatalossDB here.