Anatomy of a Breach

Anatomy of a Breach: WikiLeaks and Chelsea Manning — The Largest Classified Leak in Military History

> series: anatomy_of_a_breach —— part: 017 —— subject: chelsea_manning —— documents: 750,000 —— classification: secret<span class="cursor-blink">_</span>_

Hedgehog Security 31 May 2010 14 min read
data-breach wikileaks chelsea-manning insider-threat classified-data military whistleblower series
Breach #017

One analyst. One writable CD. 750,000 classified documents.

In early 2010, Private First Class Chelsea Manning (then known as Bradley Manning), a 22-year-old US Army intelligence analyst stationed at Forward Operating Base Hammer near Baghdad, began downloading classified documents from the Secret Internet Protocol Router Network (SIPRNet) — the US military's classified network. Manning copied the files to a rewritable CD labelled 'Lady Gaga' and uploaded them to WikiLeaks, the transparency organisation founded by Julian Assange. The total volume exceeded 750,000 classified and sensitive documents.

The leaks were released in phases throughout 2010: the Collateral Murder video in April (classified footage of a US Apache helicopter attack in Baghdad), the Afghan War Diary in July (75,000+ classified reports), the Iraq War Logs in October (391,832 reports), and Cablegate in November (251,287 diplomatic cables). Together, they constituted the largest leak of classified information in military history — and the most consequential insider threat incident ever documented.

How It Happened
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

The insider controls that did not exist.

Manning had a Top Secret/SCI security clearance and routine access to SIPRNet as part of her intelligence analyst role. She downloaded the documents over a period of weeks, copying them to rewritable CDs in a SCIF (Sensitive Compartmented Information Facility) where personal music CDs were permitted. She lip-synced to Lady Gaga songs while the data transferred — an act that would have appeared entirely normal to colleagues.

No Technical Controls on Data Export
Manning was able to copy hundreds of thousands of classified documents to removable media without triggering any technical alert. There was no data loss prevention system on SIPRNet monitoring for bulk downloads, no restriction on writable media in the SCIF, and no anomaly detection on database query patterns. The same failure we identified in the <a href="/blog/anatomy-of-a-breach-t-mobile-uk-insider">T-Mobile insider breach</a> — but with national security consequences.
Over-Broad Access
Manning, a junior analyst, had access to the same databases as senior intelligence officers. The principle of least privilege — granting users only the access their role requires — was not applied. Our <a href="/penetration-testing/infrastructure">internal penetration testing</a> assesses privilege separation and access controls to identify exactly this type of over-provisioning.
No Behavioural Monitoring
Manning's download patterns — accessing hundreds of thousands of documents across multiple databases, far beyond what her duties required — should have triggered behavioural alerts. No such monitoring existed. <a href="https://www.socinabox.co.uk">SOC in a Box</a> provides behavioural analytics that detect anomalous data access patterns — the capability that was absent on SIPRNet.
Security Culture vs. Security Technology
The US military's security culture was built on trust — the assumption that cleared personnel would not misuse their access. Manning demonstrated that trust without verification is not a security control. Technical enforcement of access policies, combined with continuous monitoring, is the only reliable defence against insider threats — as our <a href="/blog/sector-under-the-microscope-defence-supply-chain">defence supply chain analysis</a> discusses.
The Consequences

What the leak changed.

Manning was arrested on 27 May 2010 after a former hacker, Adrian Lamo, reported her to the US Army's Criminal Investigation Command. She was convicted in 2013 under the Espionage Act and sentenced to 35 years in military prison — later commuted by President Obama in 2017. The Manning case led to a fundamental overhaul of how the US Government controls access to classified information, including the deployment of user activity monitoring on classified networks and restrictions on removable media.

For organisations in the UK defence supply chain, the Manning case is a stark illustration of insider threat risk. Cyber Essentials Plus — mandatory for MoD contracts — addresses technical controls including access management and device security. Our penetration testing validates these controls. Data loss prevention through SOC in a Box provides the continuous monitoring that detects bulk data export. And UK Cyber Defence's incident response provides the forensic capability when an insider incident is suspected.

Insider Threat Defence

If the US military could not stop an insider, can you?

Our <a href="/penetration-testing/infrastructure">internal penetration testing</a> simulates insider threat scenarios. <a href="https://www.socinabox.co.uk">SOC in a Box</a> detects anomalous data access. <a href="/cyber-essentials">Cyber Essentials</a> enforces baseline access controls. The Manning case proved that trust alone is not a security strategy.

Commission an Internal Test Next: Stuxnet
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 30 June 2022

Anatomy of a Breach: Cash App — 8.2 Million Customers Exposed by a Former Employee

Breach #162. In April 2022, Block Inc. (formerly Square) disclosed that a former employee had accessed reports containing the personal data of approximately 8.2 million current and former Cash App Investing customers — after their employment had ended. The accessed data included full names, brokerage account numbers, portfolio values, and stock trading activity. The breach highlighted the persistent insider threat from former employees whose access was not revoked upon departure — a basic access management failure that Cyber Essentials explicitly addresses.

data-breach cash-app
11 min read
Anatomy of a Breach 31 March 2014

Anatomy of a Breach: Morrison's — The Insider Leak That Made Employers Liable for Staff Data Theft

Breach #063. In 2014, Andrew Skelton, a senior auditor at Wm Morrison Supermarkets, stole and published the personal data — including names, addresses, bank details, and salary information — of approximately 100,000 Morrison's employees. Skelton, who had a grudge against the company, posted the data on file-sharing websites and sent it to newspapers. He was sentenced to eight years in prison. But the case's lasting significance was the landmark legal ruling that followed: the Supreme Court held that Morrison's was vicariously liable for Skelton's actions — establishing that employers can be held responsible for data breaches caused by rogue employees.

data-breach morrisons
14 min read
Anatomy of a Breach 28 February 2014

Anatomy of a Breach: Korea Credit Bureau — 20 Million Records Stolen by a Temporary Consultant

Breach #062. In January 2014, South Korean authorities arrested a temporary IT consultant at the Korea Credit Bureau who had stolen the personal and financial data of approximately 20 million South Koreans — about 40% of the country's population — from the databases of three major credit card companies (KB Kookmin, Lotte, and NH Nonghyup). The consultant had simply copied the data to a USB drive over a period of months while working on a system upgrade. The breach triggered a national crisis, mass card cancellations, and the resignation of credit card company executives.

data-breach korea-credit-bureau
12 min read
All Posts Get in Touch