[Cross Post from the uTest Software Testing Blog.]
We’re just about halfway through the year but I’m calling it now: 2011 is the year of the hacker. Grim?  Maybe.  Just about every week there has been a new story about a company being hacked and it’s costing companies millions of dollars and even more for their brand reputation.
While only two of these hacks really impacted a company I use heavily, I thought I’d do a quick countdown on the top hacks of 2011 and the associated costs.
7) DropBox
The file-sharing site opened the doors for four hours this week, allowing anyone with a login to access other accounts.  It turns out that it was a self-inflicted wound and DropBox broke their own authentication system.  While the finacial impact probably won’t be released, just browse through the 600+ customer comments to see how the issue and their response impacted their brand.  It’s a bug, not a hack, but certainly something that could have been avoidable with ample testing prior to a full launch.
Responsible: Themselves.
Cost: A self reported “much less than 1%†of their more than 25 million users were impacted to an undisclosed extent.
6) MovableType / PBS.org
In a pure retaliation a group of hackers targeted PBS.org in response to an episode of Frontline’s portrayal of of WikiLeaks leaker Bradley Manning.  The hackers gained control of PBS.org and republished false information.  PBS was not able to immediately regain control and was forced to utilize their Facebook page as their primary news source.
Responsible: LulzSec.
Cost: One of their Sr. Correspondents, Judy Woodruff, wrote a post on “Calculating the Cost of an Attempt to Silence the Pressâ€.  While they didn’t disclose any financial costs or specific user information loss, it has certainly been a struggle for them to regain control of their site and all of their content.
5) WordPress.org Pluggins
This malicious hack just happened yesterday.  Turns out a few of the code-development site’s pluggins were hacked and granted 3rd party access to sites using those pluggins.  Specifically, the popular pluggins AddThis, Wptouch, and W3 Total Cache.  So far it sounds like they’ve done a good job closing the door but it was open for a solid 24 hours.
Their advice; “any users of the three Trojanized plug-ins who updated them “in the past day” (meaning Monday or Tuesday) should upgrade those plug-ins immediately.â€
They also remind us that the goal of many of these backdoor Trojan hacks is to gain password access for use on other sites, in the hope that users won’t be savvy enough to have site-specific or multiple passwords.
The InformationWeek.com article shares some other interesting information.  “Plug-ins, malicious or otherwise, continue to account for an increasing number of vulnerabilities seen in applications, both on PCs (for example, with browsers) and in Web applications (such as WordPress). In terms of WordPress, plug-ins now account for 80% of all WordPress-related vulnerabilities, according to HP DVLabsâ€
Responsible: Unknown.
Cost: Not yet known, although according to InformationWeek.com “AddThis and W3 Total Cache have been downloaded at least 500,000 times, and the free version of WPtouch, more than two million timesâ€.  It’s unclear how many of those users updated the pluggins with the Trojan.
4) Sega
Sega’s account management system, “Sega Pass†was hacked after Sega West’s CEO made a couple confident comments in regard to their security system in wake of Sony’s hacks (see below for more on Sony).  In an interesting turn, the hacker group LulzSec offered to help find the perpetrators. with the added comment, “we love the Dreamcastâ€.
In case we needed another reminder to have multiple passwords, “[Sega] also cautioned that ‘if you use the same login information for other websites and/or services as you do for Sega Pass, you should change that information immediately.’â€
Responsible: Unknown.
Cost: Sega lost key user information for 1.3 million customers including email addresses, date of birth, and encrypted passwords.
3) Citigroup
Citi lost some important data in this one – customer names, email addresses, contact information, and even account numbers.  While customers can’t rest assured that their accounts are safe Citi did add that, “customer’s social security number, date of birth, card expiration date, and card security code (CVV) were not compromised.” and that customers should remain on “high alert for scams, phishing, and phone calls purporting to be from Citibank and their subsidiaries.”
Responsible:LulzSec
Cost: A self-reported 1% of their 21 million customers (or 210,000 accounts) had their personal information stolen. There has been no mention of financial costs incurred.
2) Web Sever/Sites of the U.S. Senate, CIA, and FBI
There have been a few government sites and subsidiaries hit this year, including InfraGard, “a private, non-profit organization that exists to serve as a public/private partnership with the FBIâ€, the CIA and FBI’s Detroit office and the US Senate among others.
Antivirus vendor Sophos had a great contribution;
“While some people think this is a fun game that can also help point out corporate security weaknesses, the truth is that companies and innocent customers are–in the worst cases–having their personal data exposed,” said Graham Cluley, senior technology consultant at Sophos, in a blog post. “There are responsible ways to inform a business that its website is insecure, or that it has not properly protected its data. What’s disturbing is that so many Internet users appear to support LulzSec.”
InformationTech has a more inclusive list of the government branches that have been attacked, mainly with DDoS attacks.
Responsible: LulzSec
Cost: InfraGard lost member data and all information stored on their website. The CIA’s pblic website was taken and the FBI’s Detroit office received a distributed denial of services attack to their phone system.  The U.S. Senate web server was attacked.
1) Sony / Sony Pictures / Playstation
Has anyone not yet heard about Sony’s 2011?  In case you haven’t, Google has over 2,000 recent articles on the issue.  The #1 biggest hack is probably not a list anyone would want to be on but here they are.
I’ve been a die-hard Playstation fan since PS1 first came out (the PS3 is an impressive machine and the ergonomics of the Xbox controller is horrible compared to the PS controller) but I’ve found myself thinking about switching to the Dark Side.  (I’ll spare you all from a rank on Sony’s lacking embrace of social media and off-console technology.)
At this point Sony is facing attacks from consumers, court systems, and just about every other nightmare you can imagine.  In just one example, Infinity Ward, one of the two publishers of the mulit-billion dollar Call of Duty series, made the lazy mistake of leaving security in the hands of the respective servers. When Sony was hacked it rendered their Modern Warfare 2 game “unplayableâ€.
Responsible: LulzSec
Cost: In April they were forecasting a cost of $170 million. Â By the end of April that number was up to $1.5 billion. Â By the end of May there are reports that the hacking (and their response) will cost them $24 billion dollars – nearly 10x their revenue for the same period. Â [Infographic at bottom of the post]
Quite the list.  Here’s to hoping 2012 is the year of security improvements…
