The Internet Archive disclosed on the 9th of October that the organisation had experienced a substantial data-breach exposing approximately 31 million user records (email addresses, usernames, password-hash data using bcrypt) and was simultaneously experiencing a sustained DDoS attack against the service infrastructure (Internet Archive blog post by Brewster Kahle, October 9). The Wayback Machine and the broader Internet Archive services were intermittently unavailable through the week with progressive restoration as the recovery proceeded. The threat-actor attribution has been claimed by an apparent hacktivist grouping with stated political motivations, with no clear corroborating attribution from the security-research community.
The targeting of the Internet Archive is operationally distinctive. The Internet Archive is a non-profit organisation whose principal mission is the preservation of internet content (the Wayback Machine specifically) and other forms of cultural-heritage material. The organisation operates on limited budget, with infrastructure that is, on its own published documentation, less robust than commercial-scale services of comparable visibility. The attack against the organisation produces a category of harm that the customer-organisation conversations have not extensively discussed previously — the attack on institutional-knowledge-preservation infrastructure has consequences for the broader information-environment that the affected service supports, separately from the immediate harm to the organisation and its users.
The wider strategic point. The post-Internet-Archive customer-organisation conversations have included discussion of how the customer-organisation defensive posture should treat the broader information-infrastructure that customer organisations depend on. The Wayback Machine is operationally significant for security-research, journalism, regulatory-and-historical-research, and many other categories of work — the customer-organisation operational dependency on the service is substantial in some specific contexts. The defensive question is broader than customer-organisation-specific posture and includes the question of how to support, donate-to, and otherwise reinforce the institutional-knowledge-preservation infrastructure that customer organisations depend on.
For the customer-portfolio briefings. The Internet Archive case has produced specific conversations at customer organisations whose operational dependency on the service is substantial — the legal-services customer (Browne Jacobson) uses the Wayback Machine extensively for case-related research, the manufacturer's compliance-and-regulatory function uses it for regulatory-historical-research. The customer-organisation conversations have included consideration of customer-organisation contribution to and support of the service, separately from the customer-organisation defensive posture. The Internet Archive has, since the incident, received substantial public-and-organisational support; whether the support sustains beyond the immediate post-incident period is the question.
I will note this for the file. The longer-form analysis of customer-organisation-dependency-on-shared-information-infrastructure is going into the regulatory-environment book.