may have been the big news, but there were numerous other data breaches in 2010.
The year started off with 'Aurora
' - a coordinated attack against Google, Adobe, and others, which used vulnerabilities an Internet Explorer and Adobe Reader and Acrobat to steal intellectual property and attempt to access to the Gmail accounts of human rights activists. This attack brought the phrase "Advanced Persistent Threat
" into the lexicon. Also, it supposedly
got Google to switch all employees off Windows systems and take a more 'open' approach
It wasn't just the big guys. Many
, many small businesses were targeted
. Specialized malware hit systems used for accounting and stole hundreds of thousands of dollars, often using "money mules
" recruited through help-wanted ads.
Health care companies also lost your info: a former Wellpoint
employee was convicted of stealing health care providers' info to buy cell phones and forge checks. Wellpoint also notified up to 470,000
members that their personal health and financial information, including some social security numbers, were exposed after a botched website upgrade. Aetna threw out a file cabinet
with the personal information of about 5,000 customers, Marsh and Mercer lost
tape being sent
by courier with data for 121 patients and KPMG lost
an unencrypted flash drive with 3,630 records. All in all "medical identity theft
" struck 5.8% of US adults.
Hotels, especially luxury brands, rose in prominence
as targets of data thieves. Westin
both acknowledged being hit. HEI, operator of Marriotts, Sheratons and Westins, sent letters to 3,400 customers stating their credit card numbers may have been compromised
AT&T and Apple got bad press for exposing
the email address of everyone who bought an iPhone 4 in its early days, and disclosing
[*] information on 114,000 3G iPad purchasers. Even an Energizer USB battery charger contained a backdoor
that allowed remote access into the user's system. Malicious code spread
through Twitter and a large email marketing firm had their database stolen
Banks remained a popular target. They did themselves no favors: it was reported up to 9,000 USB sticks are left in suit pockets at dry cleaners
in London. A couple ID thieves were convicted
of stealing names and account numbers at Wells Fargo, and Wells had more trouble with insider
breaches. Hackers hit
online check image archiving companies for $9 million. Can't get your bank on the phone? Maybe you're the victim of a telecom
denial of service, where your phone system is overloaded to divert your bank trying to confirm a transaction.
Governments lose data too: from UK Ministry of Defence
down to state retirement boards
. And, high school students still test
their school's systems. Former NYC employees
stole birth certificates and social security cards to sell. The Stuxnet worm supposedly
was written by one government to target the operations of another. The Pentagon reported the "most serious
" breach ever, caused by a flash drive inserted into a military laptop.
Security remains hard to do right: the much-hyped Haystack
program to allow dissidents free communication turned out to be snakeoil. Intel admitted the encryption key for Blu-Ray was disclosed
, possibly having been brute-forced instead of leaked. A proprietary encryption key in car immobilizers
was cracked. The BackTrack security testing Linux distro had their site compromised
[*] Link goes to Gawker, who had their own small data breach incident, too.
Want to read more? My most frequent sources are The Office of Inadequate Security
, the RISKS digest
, and the great reporting of Brian Krebs