Wikileaks may have been the big news, but there were numerous other data breaches in 2010.
The year started off with '
Aurora' - a coordinated attack against Google, Adobe, and others, which used vulnerabilities an Internet Explorer and Adobe Reader and Acrobat to steal intellectual property and attempt to access to the Gmail accounts of human rights activists. This attack brought the phrase "
Advanced Persistent Threat" into the lexicon. Also, it
supposedly got Google to switch all employees off Windows systems and take a more 'open'
approach towards China.
It wasn't just the big guys.
Many,
many small businesses were targeted,
too. Specialized malware hit systems used for accounting and stole hundreds of thousands of dollars, often using "
money mules" recruited through help-wanted ads.
Health care companies also lost your info: a former
Wellpoint employee was convicted of stealing health care providers' info to buy cell phones and forge checks. Wellpoint also notified up to
470,000 members that their personal health and financial information, including some social security numbers, were exposed after a botched website upgrade. Aetna threw out a
file cabinet with the personal information of about 5,000 customers, Marsh and Mercer
lost a
backup tape being
sent by courier with data for 121 patients and KPMG
lost an unencrypted flash drive with 3,630 records. All in all "
medical identity theft" struck 5.8% of US adults.
Hotels, especially luxury brands,
rose in prominence as targets of data thieves.
Westin and
Wyndham both acknowledged being hit. HEI, operator of Marriotts, Sheratons and Westins, sent letters to 3,400 customers stating their credit card numbers may have been
compromised.
AT&T and Apple got bad press for
exposing the email address of everyone who bought an iPhone 4 in its early days, and
disclosing[*] information on 114,000 3G iPad purchasers. Even an Energizer USB battery charger contained a
backdoor that allowed remote access into the user's system. Malicious code
spread through Twitter and a large email marketing firm had their database
stolen.
Banks remained a popular target. They did themselves no favors: it was reported up to 9,000 USB sticks are left in suit pockets at
dry cleaners in London. A couple ID thieves
were convicted of stealing names and account numbers at Wells Fargo, and Wells had more trouble with
insider breaches. Hackers
hit online check image archiving companies for $9 million. Can't get your bank on the phone? Maybe you're the victim of a
telecom denial of service, where your phone system is overloaded to divert your bank trying to confirm a transaction.
Governments lose data too: from UK
Ministry of Defence down to
state retirement boards. And, high school students still
test their school's systems. Former NYC
employees stole birth certificates and social security cards to sell. The Stuxnet worm
supposedly was written by one government to target the operations of another. The Pentagon reported the "
most serious" breach ever, caused by a flash drive inserted into a military laptop.
Security remains hard to do right: the much-hyped
Haystack program to allow dissidents free communication turned out to be snakeoil. Intel admitted the encryption key for Blu-Ray was
disclosed, possibly having been brute-forced instead of leaked. A proprietary encryption key in car
immobilizers was cracked. The BackTrack security testing Linux distro had their site
compromised.
[*] Link goes to Gawker, who had their own small data breach incident, too.
Want to read more? My most frequent sources are
The Office of Inadequate Security,
the RISKS digest, and the great reporting of
Brian Krebs.
posted by boo_radley at 9:59 AM on December 28, 2010 [5 favorites]