The time it takes hackers to download records depends on how large the files are. A photo contains a heck of a lot of data; a text file listing your name, address, social security number, etc., would be far smaller—especially given that the data could be compressed. “If the name ‘Sam’ appears a million times, I don’t need to store it every time,” explains Vyas Sekar, an associate professor of electrical and computer engineering at Carnegie Mellon University. “I can just store one and say, ‘Everything here refers to ‘Sam.’ ” Poor Sam.
We asked three experts to guess how large the files might be, and how long it would take Boris J. Hackervich to siphon off 143 million records. Sekar suggested a file size of 20 kilobytes per record, which he considered generous. Collectively, he said, the stolen data would equate to about 800 Netflix movies, which could slip out the back door in about two and a half days. Herb Lin, senior research scholar at the Center for International Security and Cooperation at Stanford University, went with a more modest individual file size of 1 KB, which would wrap everything up in about a day. On the other end of the spectrum is Thomas Kilbride, a security consultant at IOActive, a cybersecurity firm that recently made headlines by hacking a personal-assistant robot and turning it into a stabbing machine. Kilbride used a worst-case estimate of 250 KB per record, coming up with a download time of 38 days.
Whatever the file size, it’s clear that the full data theft couldn’t take place within a single IT-security-officer’s smoke break. How can hackers conceal such long-term larcenies? They might refrain from taking all the data from one place. “They probably divvy it up among multiple machines so each one’s sending a small chunk,” Sekar says. “At no single point will it actually look like an anomaly.” Lin adds that they might choose to extend the theft over a period to avoid detection: “Let’s say you spread it out over 100 days,” he says. “Now you’re only transferring 1 gigabyte a day, and that’s just not very much.”
Moreover, Kilbride says, “An attacker may encrypt the outbound traffic to make it difficult to distinguish from legitimate traffic.” Transferring a small file wouldn’t look that different from uploading something to Dropbox. “As a security administrator, if I start flagging everybody who’s sending something to Google Drive, I’ll get a ton of false positives and have a lot of angry users,” Sekar says. Then again, if you let cybercrooks saunter off with sensitive data on almost half the people in the country, you’re going to have a lot of angry customers. It’s a difficult trade-off, of course, and one that too many companies appear to miscalculate. We might as well all unplug, move to Hawaii, and try a little harder to adequately document our new surroundings.