« MetriCon 3.0 CFP | Main | Ross Mayfield: Secure What People Do »


Andy Steingruebl

To be fair a small number of the total compromised identities (rather than payment instruments) we really from websites. And, though computers feature prominently in many of the breaches many are stolen laptops, tapes, etc. Not the sort of things developers really can be held accountable for....


Andy - hmm...a small percentage of a couple hundred million stands to be a decent sized number.

Sure not all the issues are a direct result of poor web security. But let's look closer at Q1 2005(*), it looks like about 373,000 identity records breached that we know about. Basic crime statistic analysis says that we know about 10% of what actually occurs, so its reasonable to project the number is closer to 3.7 million for the first quarter of 2005.

Jan. 10, 2005 George Mason University
(Fairfax, VA) Names, photos, and Social Security numbers of 32,000 students and staff were compromised because of a hacker attack on the university's main ID server.
Number of records: 32,000

Jan. 18, 2005 Univ. of CA, San Diego
(San Diego, CA) A hacker breached the security of two University computers that stored the Social Security numbers and names of students and alumni of UCSD Extension.
Number of records:3,500

Feb. 25, 2005
(Miramar, FL)
Exposed online
Number of records:25,000

March 8, 2005
DSW/Retail Ventures
(Columbus, OH)
Number of records:100,000

March 11, 2005
Boston College
(Boston, MA)
Number of records:120,000

March 20, 2005 Northwestern Univ.
(Evanston, IL) Hacking
Number of records:21,000

March 20, 2005
Univ. of NV., Las Vegas
(Las Vegas, NV)
Number of records:5,000

March 22, 2005
Calif. State Univ.
(Chico, CA)
Number of records:59,000

March 23, 2005
Univ. of CA.
(San Francisco, CA)
Number of records:7,000

March 25, 2005 Purdue University
(West Lafayette, IN) Computers in the College of Liberal Arts' Theater Dept. were hacked, exposing personal information of employees, students, graduates, and business affiliates.
Number of records:1,200
(not included in total because news stories are not clear if SSNs or financial information were exposed)

Andy steingruebl

Ok, but I don't have nearly enough details from those incidents to determine whether they were because of software defects or operational failures.

Could be perfectly up-to-date software and no vuln was exploited but the password was empty or whatnot. Sure maybe it was a not-secure-by-default type issue, but we don't really know.

I had a pseudo-proposal at the mini-metricon to try and gather more data about these to get more root-cause info. Sort of like the WHID - http://www.webappsec.org/projects/whid/ but for other security incidents.

The comments to this entry are closed.