It should come as no surprise that 2008 was an eventful year for online security pundits. Record instances of data breaches, identity theft, vulnerability disclosures and hotfixes were seen throughout the year. Both state and non-state actors were involved — on the public side, cyberwar in Georgia and alleged Chinese cyber-espionage; in the private sector, new low-level DNS exploits, SSL flaws and routing bugs were uncovered.

In a series of posts, I summarise the eight top cybersecurity issues for 2008 and their likely outcome in 2009, beginning with data security.

• Data breaches up 69 per cent in 2008
  In July 2008, researchers at the Identity Theft Resource Centre reported 342 data breaches since January, up 69 per cent compared with 2007. Most breaches affected government or military entites, followed by education and business sectors.Most data was lost in transit (typically stolen laptops or lost USB sticks), but a surprising amount was also found to have been posted accidentally to the web.
• T-Mobile loses personal records of 17.2m customers
  Evidently the year ended on a high note — the Open Security Foundation reports only 382 incidents for the year.The largest single incident involved T-Mobile (Deutsche Telekom), a European mobile carrier, which lost 17m customer records following a misplaced hard disk. The loss remained unreported until the data turned up for sale on an online auction site.
• Bank of New York ‘misplaces’ 12.5m customers’ details
  An honourable mention also goes to the Bank of New York Mellon, from which 12.5m records were stolen from couriers (see also) during a routine transfer of backup tapes to a secure storage facility. The Bank setup a website (helpfully entitled ‘Protecting Client Information’) about the incident, and offered $25 000 worth of identity theft insurance to affected customers.
• TJX data thief gets five years’ prison
  In August 2008, United States police arrested 11 people in connection with the massive data breach at TJX Companies Inc. Some estimates place the number of disclosed credit card numbers at 45 600 000; others range as high as 94 000 000. The accused were charged with four felony counts, including wire and credit card fraud and aggravated identity theft. Several accused pleaded guilty. One 19-year old was fined $600 000 and sentenced to five years’ imprisonment (his mother deported to Venezuela); others are awaiting sentence.
• Hannaford Brothers’ suspected negligence leads to credit card leak
  In March 2008, the major United States supermarket disclosed a serious data breach. Persons unknown (probably insiders) managed to infect payment servers at nearly all of Hannaford’s 300 stores. The malware ran silently for over three months, collecting credit and debit card numbers from supermarket payment systems. Experts have stated that the incident reflects a ‘maniacal focus on compliance with various standards and regulations has created a climate in which passing an audit or satisfying a regulator is deemed more important than actually doing what’s necessary to protect critical assets’. Lesson learned: standards compliance is not indicative of adequate security — what then is an appropriate standard of care in tort?
• Confidential Home Office disc auctioned on eBayIn February 2008, staff at a Manchester computer retailer found a disc labelled ‘Home Office: Confidential’ hidden under the keyboard of a laptop brought in for repairs. Staff informed the police, thinking it might have been smuggled out of a government office. The disc was also found for sale on eBay; fortunately, however, the data (at least on the disc recovered by police) was encrypted.The following month, the United Kingdom Conservative Party announced various measures designed to prevent cybercrime and data breaches, including a new Minister of Cybersecurity. Amendments to United Kingdom privacy legislation would also require mandatory notification of data breaches by financial institutions to the Financial Services Authority. While much of the proposals were political puffery — there is already an Information Commissioner responsible for data breaches — the focus on cybersecurity has been welcomed, and parallels reforms proposed in jurisdictions such as Australia.