Data Breaches, Vulnerabilities Down In 2010

2010 has been a tough year for businesses all ’round, but according to the DataLoss Database, events involving the loss, theft, or exposure of personally identifiable information are down this year.  I’m quite surprised, and will have to look into why the numbers are down, but the amount of noise is certainly way, way up.  A link heavy post, but you always get what you pay for here…

So far, DL-DB states that we have had 363 breaches recorded in 2010, compared to 604 last year, and 787 in 2008.  Of course the high profile Wikileaks issues, and the follow-on repercussions of that unfortunate event, do not appear to be represented in this data-set.  OSF-DataLoss-DB

On the vulnerability side of the security equation, NIST’s Common Vulnerability Enumeration database reports that to date there are are 4,430 CVE records on the books for 2010, with roughly 3 weeks left to go.  1,995 of those CVE records were rated high risk by base score.  Microsoft plans to add about 40 more, and Adobe is expected to add a few more as well.  For comparison, 5,753 in 2009 with 2720 rated high.  NIST-CVE

Recent Incidents:

McDonald’s relied on a long-time business partner, Arc Worldwide in connection with certain McDonald’s websites and promotions.  McDonald’s hired Arc to develop and coordinate the distribution of promotional e-mail messages, and Arc relied on an unidentified e-mail company to manage the customer information database.  This third party e-mail company’s systems were broken into. PCWorld

Servasport Ltd, a Belfast-based company which maintains the GAA’s database, had apologised to the sports organisation after discovering that it had fallen victim to unauthorised access.  A database containing the names and addresses 501,786 members, as well as many dates of birth, mobile and home phone numbers, and email addresses. Some records also conatined information on the medical conditions of GAA members.  One man has been arested.  BelfastTelegraph 

A loosely organised group of Internet hacktivists called Anonymous took down Visa’s website, after organising a similar attack on MasterCard.  The group has been encouraging volunteers to download software called “Low Orbit Ion Cannon”, which lets them centrally control bot systems and direct them into a distributed denial of service attack (DDoS).  The point of the attacks is to put pressure on financial companies that recently cut ties with the WikiLeaks website over its planned publication of more than a quarter million US Department of State classified cables.  Of course, they also targeted a host of other sites, like PayPal, Amazon and others.  TechWorld   Dutch authorities arrested a 16-year-old boy on Wednesday in relation to the attacks.  Online payments company Moneybookers has become the latest firm to feel their DDoS wrath.  Finextra   Anonymous is also threatening to attack British government websites if police extradite WikiLeaks founder Julian Assange to Sweden where he is wanted for alleged sexual assault.  CSMonitor

Hackers infiltrated the University of Wisconsin (UW)-Madison computer systems and accessed the personal information of tens of thousands of individuals affiliated with the college.  SCMag

Officials from the Social Security Administration are assessing the damage done by an individual who is in custody in connection with the illegal computer download of the personal information of 15,000 New Yorkers who have filed disability claims.  Pharmacy giant Walgreens has told customers that a criminal had stolen its e-mail marketing list.  The criminal used the list to send out realistic-looking spam that asked recipients to enter their personal information into a Web page controlled by hackers.  No prescription information or other health information was stolen, the company said.  The criminal only managed to pilfer customer e-mail addresses.   PoughkeepsieJournal

Semi-nude photos of Christina Aguilera have been leaked to the press, illegally obtained by a hacker who tapped into Christina’s personal stylist’s account. The photos were taken in the privacy of Ms. Aguilera’s home and were used only in a personal exchange between the star and her stylist.  Christina joins the likes of  Twilight star Ashley Greene and princess-to-be Kate Middleton recently being used as malware bait for the unwary.   Sophos

All this in just the last couple of weeks, and according to a new study, two-thirds of employees expose sensitive data outside the workplace, some even revealing highly confidential information such as customer credit card and Social Security numbers.  No hacking needed!   TheNewInternet
It will be interesting to see what all the vendors and consulting firms like Sophos, McAfee, Symantec and Telus report at the year’s end when they summarize their findings.