Financial Value of Data Centers
How a Gang of Thieves Pulled Off a Multimillion-Dollar Data Center Heist - The New York Times
The world’s most valuable assets are stored on rows of servers in giant, anonymous buildings. And they can be stolen.
Nathaniel Rich examined the Verizon heist while conducting research for his novel “Cloudthief.”
The bankers “were involved in prime mortgages” and had “circumnavigated” certain regulations. Damning evidence of these circumnavigations could be found in banking files held in the King’s Cross area in a giant building known as a data center.
This data center was operated by the business division of Verizon, which had inherited the facility, and about 20 other data centers, through a recent series of corporate mergers. Among the corporations that rented server space from Verizon were various major financial institutions, including one of the world’s largest banks.
Ellis’s assignment was to break into the data center and steal around 80 servers that hosted the incriminating files.
The world’s most valuable commodity is not stored in banks, jewelry boutiques or the Louvre. It lives in giant, anonymous, energy-devouring warehouses filled with fiber-optic cables, industrial-scale cooling systems and server racks.
The latest generation of data centers will mainly be used, at a cost of several trillion dollars, to power artificial intelligence. Until now, however, the primary function of data centers has been to store the world’s information. The entire searchable internet, for instance, lives in data centers. But that’s not all. Data centers also store most private digital systems: your email accounts; your medical, pension and educational records; every book and archive ever digitized; every social network and dating app; every government and corporate database. Nearly any time you access electronic data — any time you swipe or scroll or speak a voice command — you rely on the services of a data center.
The public fogginess about data centers is not an accident. It is the product of a willful strategy by the world’s largest tech corporations, whose business models rest on the public assumption that the internet, and all the data it holds, is as immaterial as air — or as a cloud, to borrow the metaphor commonly used to describe the sum of information stored on servers. As the digital-media scholar Tung-Hui Hu writes in “A Prehistory of the Cloud,” the cloud “hides its physical location by design.”
This use of “cloud” dates back at least as far as the mid-1990s, but it didn’t enter the public consciousness for another decade, after the chief executives of Amazon and Google began to market the wonders of “cloud computing.” Information, they declared, had been liberated — emancipated from the prison of the desktop computer and evaporated into the atmosphere. The cloud soon became a permanent feature of the cultural landscape. Many of us began to believe that digital information had actually become vaporous. The metaphor evoked mantras that tech boosters recited with religious zeal, like “Everything is connected” or “Information wants to be free.”
But information does not float in the air. It is encoded on servers: computers without monitors or keyboards, rectangular boxes dotted with blinking LEDs, stacked in vast grids held in warehouses. Our phones and tablets and laptops are so light because they contain little more than a screen, a battery and an antenna. Their powers are merely borrowed, at up to 1,000 megabits per second, from data centers.
By the time Ellis learned about the Verizon job, data collection had quietly become the most critical economic force in modern life. “Data is the new oil,” the British mathematician and data scientist Clive Humby wrote in 2006, an expression that quickly assumed the status of an adage. In the last two decades, data storage has grown into the core business of some of the world’s most valuable corporations. Amazon, for instance, is not, primarily, an e-commerce business. It is a data storage business: Amazon Web Services, the data server provider it started in 2006, accounts for more than half of its profits, and in some quarters as much as 74 percent of its profits. A.W.S.’s clients include, among others, the Library of Congress, the U.S. Treasury, the National Security Agency, the I.R.S. and The New York Times.
Google Cloud represents 15 percent of Alphabet’s income, but it is its fastest-growing division. Microsoft recently disclosed that its own fastest-growing revenue source was its data storage services, which it groups together under the rubric Intelligent Cloud; it hosts the British government, Starbucks, Shell, OpenAI and the U.S. Department of Defense.
Amazon and the other data behemoths speak of the value of their data center operations about as openly as they do their internal algorithms. For two years after building its first data center, Google refused to acknowledge it existed; to this day, it requires visitors to all its centers to sign nondisclosure forms. Amazon and Microsoft still do not disclose the exact number or size of their data centers, indicating their locations only by region or “availability zone.”
Why the secrecy? It’s hard to tell exactly. A guardedness about proprietary business operations is part of the explanation. An effort to conceal the environmental cost is another: Between the energy consumption of the servers and the cooling systems that prevent them from bursting into flames, data centers are responsible for the release of monstrous quantities of greenhouse gases. The largest data centers can consume the energy of two million homes. If the world’s data centers made up a 51st American state, it would rank second in energy consumption, just behind Texas.
But the most likely rationale for the tech companies’ reluctance to discuss the details of their core business is related to security. The anonymous warehouses we call data centers are the lockbox of the global economy.
“You could blow up Wall Street tomorrow, and it would have a minimal impact on the stock market,” says Brian Higgins, who teaches disaster management at the John Jay College of Criminal Justice and directs the security consultancy firm Group 77. The New York Stock Exchange in fact trades at a data center in Mahwah, N.J. If you want to bring the global financial system to its knees, Higgins says, bomb Mahwah.
“People think that information has no value, that it’s just in the air,” says Maryam Farboodi, a professor of finance at Cornell University who studies the economics of big data. But when mountains of data are concentrated in a single facility, they are susceptible to being stolen. And not just by hackers. “We tend to think of data breaches in terms of cybersecurity,” Farboodi says. “But there is not much appreciation that data are physically somewhere. And someone can actually go and steal them.”
The Independent and The London Standard each ran headlines about an “Ocean’s Eleven” heist the next morning, but the reported haul seemed relatively modest. Yes, the thieves made off with more than $1 million of computer hardware. But the general tone of the press reports was reassuring. The data center’s employees were unhurt (though one had to be treated for shock). And despite the scale of the theft, the articles repeatedly emphasized that no valuable information had been stolen. “A huffy Verizon publicist admitted that there had been a ‘service interruption,’ but that none of the servers had gone down,” The Independent reported.
This is the standard response from companies to incidents of physical data theft. The attackers, it is usually claimed, were after only hardware, not information. The value of the hardware is disclosed, but the value of the data it holds is minimized or goes unmentioned. Why, a careful reader might wonder, would a thief go to the extreme measure of infiltrating a data center to steal loaded hard drives — when servers could be much more easily plucked from warehouses or computer stores or freight trucks?
Data center heists belong to that rare class of crime, like blackmail and extortion, in which the victim eagerly participates in the cover-up. Were a data center to admit to flaws in its security, it would only encourage additional attacks and scare away its clients.
When a thief dropped through the ceiling of a Midwestern data center operated by American Insurance Group in 2007 and seized a server containing the medical records of nearly a million people, the value of the theft was reported as $10,000. After a center in Chicago containing data from corporations in 190 countries was robbed by men with tasers, customers were told that the only consequence was a temporary power outage; it was the fourth such incident in a two-year period. In 2015, when five servers containing the personal details of 90,000 donors were stolen from Plan International UK, the charity emphasized that no credit card information had been stolen.
Since Ellis’s day, the physical threat matrix has shifted on several axes. As cloud storage has come to be dominated by abundantly resourced tech giants, physical data attacks have declined. Most successful attacks, Bekisz observes, have been crimes of opportunity: inside jobs by employees, usually looking to pawn expensive hardware, or theft of servers and computer chips in transit
Ellis received a nine-year sentence for the Verizon theft and concurrent sentences for the vegan factory robbery and two others. Newspaper articles at the time described the data center heist as a “£5M burglary.” Ellis considered this a lucky break — £5 million, after all, was the replacement cost of the data servers. The value of the data they stole, Ray had told Ellis, was 20 to 40 times as much. Ellis was sentenced to 16 years and released after eight and a half. “The sentences they have received are a clear indication of the seriousness of the offenses they committed,” Raj Mahajan, a Metropolitan Police detective inspector, said at the time, “and should act as a deterrent to anyone else considering a similar type of venture.”