Even though there aren't exact numbers on how many businesses were hit by a Spectre or Meltdown attack, I've put together some insights, data, and case studies that might give you an idea of how bad these flaws were:
- Initial estimates (2018): When the vulnerabilities were first disclosed, the U.S. Computer Emergency Readiness Team (US-CERT) estimated that virtually all modern processors (billions of devices) were affected.
- Affected industries: A survey by the SANS Institute (2018) found that:
- 71% of respondents from Finance and Banking were affected.
- 63% from Government.
- 57% from Healthcare.
- 55% from Technology and Software.
- Exploitation attempts:
- A Google Cloud report (2018) mentioned that they saw "limited" exploitation attempts, with no reported customer impact.
- Akamai (2018) reported observing a small number of exploitation attempts, but no successful breaches.
- Patch adoption rates:
- A Shodan scan (2018) found that about 50% of scanned servers had applied patches for Meltdown (CVE-2017-5754).
- A Tenable study (2019) reported that, after one year, about 70% of organizations had patched Meltdown and Spectre vulnerabilities.
Notable case studies and incidents:
- Norwegian health care system (HelseCERT): Reported a successful Spectre-based attack in 2018, which was quickly contained.
- German automobile manufacturer: According to a Cyberus Technology report (2019), a Spectre-based attack was used to steal sensitive data.
- Multiple cloud service providers: While not publicly disclosing specific numbers, providers like AWS, Google Cloud, and Microsoft Azure have all acknowledged taking measures to mitigate the vulnerabilities and protect their customers.