Question

I’ve been reading about the Spectre and Meltdown vulnerabilities and their impact on data security. I’m curious to know how widespread these attacks have been and how many businesses reported incidents related to them. Are there any statistics or case studies available?

Answer 1

Even though there aren't exact numbers on how many businesses were hit by a Spectre or Meltdown attack, I've put together some insights, data, and case studies that might give you an idea of how bad these flaws were:

1. Initial estimates (2018): When the vulnerabilities were first disclosed, the U.S. Computer Emergency Readiness Team (US-CERT) estimated that virtually all modern processors (billions of devices) were affected.
2. Affected industries: A survey by the SANS Institute (2018) found that:
   • 71% of respondents from Finance and Banking were affected.
   • 63% from Government.
   • 57% from Healthcare.
   • 55% from Technology and Software.
3. Exploitation attempts:
   • A Google Cloud report (2018) mentioned that they saw "limited" exploitation attempts, with no reported customer impact.
   • Akamai (2018) reported observing a small number of exploitation attempts, but no successful breaches.
4. Patch adoption rates:
   • A Shodan scan (2018) found that about 50% of scanned servers had applied patches for Meltdown (CVE-2017-5754).
   • A Tenable study (2019) reported that, after one year, about 70% of organizations had patched Meltdown and Spectre vulnerabilities.

Notable case studies and incidents:

1. Norwegian health care system (HelseCERT): Reported a successful Spectre-based attack in 2018, which was quickly contained.
2. German automobile manufacturer: According to a Cyberus Technology report (2019), a Spectre-based attack was used to steal sensitive data.
3. Multiple cloud service providers: While not publicly disclosing specific numbers, providers like AWS, Google Cloud, and Microsoft Azure have all acknowledged taking measures to mitigate the vulnerabilities and protect their customers.