Top Hacks, Breaches and Compromises of 2010 (So Far)

In June, researchers at Goatse Security uncovered a flaw on AT&T’s Website and used it to get their hands on 114,000 e-mail addresses belonging to Apple iPad 3G owners. AT&T was not pleased, and the FBIlaunched an investigation.

Underscoring the intersection of IT security and physical security, an old-fashioned theft of two safes from the Education Credit Management Corporation endangered personal information belonging to 3.1million college students. Inside the safes were nearly 650 disks with student information belonging to the corporation, which services and insures college loans. The safes were recovered by police in Minnesota along with what is believed to be all of the disks.

Armed with a cross-site scripting vulnerability and a Tiny URL redirect, hackers targeted the open-source Apache Foundation and swiped passwords from the server hosting software Apache uses to track issues and requests.

Argentinian hacker Ch Russo and two associates used numerous SQL injection vulnerabilities in the popular file-sharing Website to access the user database, exposing e-mails, user names and IP address information for more than 4 million users. Russo said neither he nor his cohorts did anything to alter ordelete information in the database.

A business logic flaw in a third-party program used by health insurer WellPoint opened up 470,000 customer records for exposure. Though the glitch was fixed in March, the company reportedly only learned of the vulnerability when a California customer sued after discovering she could get confidential information about other customers by manipulating Web addresses used in the program.

Not exactly a hack, but a compromise nonetheless. Security pros believe that 400 phished accounts were used by an iPhone app developer to fraudulently purchase his programs from the Apple App Store and boosttheir popularity ratings.

Records for nearly 200,000 people were swiped from the servers of e-commerce company Digital River. The information included names, e-mail addresses and other data originally gathered by companies offering affiliated marketing programs. In May, the company got a court order to stop a New York man from selling, altering or destroying the data after he was caught trying to sell the information to a marketing firm for$500,000.

In April, the Department of Social Services in Virginia Beach, Va., revealed eight employees were fired or disciplined over the previous year for accessing confidential information about former employees, family members and clients. The violations ran the gamut from a boss who forced her employees to gather information from a state database about her husband’s child to a worker who checked the status of a dead client’s Medicaid benefits.

When Google announced in January it had been breached, it touched off months of controversy and accusations that reached around the world. The cyber-attack is believed to have run from mid-2009 to that December. The attack also affected dozens of other organizations, including Adobe Systems and Juniper Networks.