2011 has almost come to a close, and it may well be remembered as the year when data breaches truly went mainstream.

Vodafone kicked off the year, exposing customer data through shared/poor passwords on an internet accessible customer management system. Vodafone went into damage control, resetting employee passwords daily and eventually some staff were fired as a result.

Then came Sony! Sony's massive multiple breaches (aka the 'sownage') made ongoing front page news and caused plenty of concern in boardrooms around the world due to it's scope and the high-profile nature of the target (I mean, who doesn't have a Sony product at home somewhere!?!).

Less noteworthy for many outside the industry, but a bombshell for those of us in it, was the RSA data breach. When the company whose technology is used to secure millions was so easily penetrated and 'something' stolen (did they ever give a clear indication as to what?), many people started questioning the security of their multi-factor authentication provider. RSA offered new tokens and assured all was well - until Lockheed Martin was breached and pointed the finger at the RSA attackers.
Showing hacking knows no industry vertical boundaries, email marketing giant Epsilon was also popped, exposing the details of many customers of some of then world's top companies.

Closer to home, web hosting provider Distribute.IT was pwned and driven out of business in a particularly malicious and destructive attack. While the cops got their man, it was too late for many of the company's customers who lost all of their data.

Corporate 'hacking' made the mainstream news - or indeed was the mainstream news - when Rupert Murdoch's News of the World UK newspaper was outed as having been routinely hacking voicemail messages of celebrities and victims of crime. The main outrage was the claim that journalists had deleted voicemails of an abducted young girl  - a claim that has now been claimed to be inaccurate. Nonetheless the scandal was enough to have Murdoch shut down the paper, and not rule out shutting down a second.

Journalist hackers have been in trouble here in Australia as well, with the Melbourne Age Newspaper under investigation for hacking a database of a political party.

Certificate Authorities weren't immune either, with Diginotar hacked and issuing valid certificates for bad guys. The end result was game over for the Dutch CA, but with unverified claims from the hacker that he's pwned other CAs as well.

High profile data breaches came to Japan in 2011, first it was Sony (as mentioned above), followed by the Japanese parliament and defence contractor Mitsubishi Heavy Industries. Japanese Parliamentarians were reported to be using their personal devices to store confidential government data which has other implications all of their own.

Proving that no good deed goes unpunished, First State Super in Australia provided a textbook-like lesson on how not to deal with reported vulnerabilities in web applications by attempting to shoot the messenger. Thankfully a rethink meant the messenger was spared, but the public humiliation remained, along with the potential loss of a multi-million dollar deal.

Australia's biggest Telco, Telstra, helped keep data loss in the news when it was revealed an internal customer database was accidentally exposed to the internet. Perhaps having learnt the lesson of First State Super, Telsta declined to shoot any messengers and reacted fairly swiftly, taking down the site and contacting 60,000 effected customers. However, it wasn't enough to avoid an investigation by the Privacy Commissioner, nor a phishing campaign.

I'm sure there were others that escape me at the moment, but nonetheless these examples alone show that data loss and intrusion were big news in 2011. With more press comes a growing customer awareness that companies may not be securing personal data as the public expects and perhaps a growing pressure from consumers for companies to meet higher data protection standards. Or will increased awareness and reporting mean we end up with 'breach fatigue' where data breaches become so common consumers just tune out?

Here in Australia, data protection (or 'cybersecurity') recently moved from the Attorney Generals Office to the Department of Prime Minister & Cabinet (an area which has had it's own problems in the past), so it remains to be seen what (if any) legislative changes are made here and whether we end up with any kind of mandatory breach notification laws or legislated security controls.

Time will tell! Onwards to 2012!