Data Breach Notices Show Tip of the Iceberg

d2d writes "The Data Loss Database has released a new feature: The Primary Sources Archive, a collection of breach notification letters gathered from various state governments as a result of data breach notification legislation. The documents include breaches that were largely unreported in the media, many of which are significant incidents of data loss. This lends credence to the iceberg theory of data-loss reporting, where many incidents never break the surface. Now, thanks to the Open Security Foundation, we can 'dive' for them."

Some highlights

[alain94040]

Some of my favorite highlights from recent incidents (I know, I shouldn't RTFM):

Names and Social Security numbers of at least 250,000 found through search engine
Date: 2008-12-02
Organizations: Florida Agency for Workforce Innovation

I guess there are many different ways you an innovate...

Social Security numbers of 341 posted on web
Date: 2008-12-04
Organizations: Economic Research Institute

If it's for research, then it's ok to post on the web...

Stolen laptop contains names and Social Security numbers of "several thousand " employees
Date: 2008-12-11
Organizations: Hewlett-Packard

If you thought only small time loser organizations like the first two on my list where subject to embarrassing data loss, that one would set you straight.

--
http://fairsoftware.net/ -- Software Bill Of Rights

Re:Some highlights

[TubeSteak]

The problem with data loss is that it isn't a localized problem.
A loss/breach in California can screw over people living in Maine.

Seems to me like a situation that will sooner or later be ripe for Federal regulation or oversight.

Re:Some highlights

[tubapro12]

I've been awake for over 40 hours now, but did anyone else think of data loss caused by icebergs when they read the title?

Re:Some highlights

[DiegoBravo]

When I read "data loss", I think more of unrecoverable information (like crashed hard disks without backups, or forgetting passwords.) But the problem here seems to be more about "uncontrolled copies".

>> Seems to me like a situation that will sooner or later be ripe for Federal regulation or oversight.

At least in some domains, it is already. PCI for example puts restrictions for the duplication of sensitive data, and adds requirements forcing encription.

Re:Some highlights

[SleepingWaterBear]

Yes.

Re:Some highlights

[Gerzel]

Three can keep a secret if two are dead.

Franklin, go Ben!

Re:Some highlights

Yes, but I haven't been awake for 40 hours. I've only drank about a fifth of 7.

Re:Some highlights

[docgiggles]

This is an field that the U.S. needs to spend money on NOW. They need to fix, regulate, and upgrade all of their systems in order to keep from being annihilated. The U.S. is not even competitive digitally anymore, because our politicians do not seem to realize the massive role it plays in our daily life. Hopefully Obama will remedy this, but who knows?

Re:Some highlights

[bhamlin]

What a titanic misreading. :D

Use to force 'losers' into warning victims?

[Bearhouse]

I've always wondered if the organisations that 'lose' data such as SS#s are diligent in warning potential victims of identity theft etc.

Totally ignorent in this area - perhaps someone here could clarify. What, if any, are the obligations of an organisation that holds sensitive data about you to inform you of it's potential or real loss?

Seems that this is a start, but it's still 'passive'. Some kind of active warning system would be better... After all, if someone's stolen my bank details and passwords, I'd really like to know, fast.

Re:Use to force 'losers' into warning victims?

[Daffy+Duck]

Many (more than half?) states in the US have laws that require companies/institutions to report the loss of this kind of data. The first obligation is to report the loss to the subjects of the data so they can take steps to protect themselves.

Re:Use to force 'losers' into warning victims?

[Bearhouse]

Thx

Re:Use to force 'losers' into warning victims?

Being legally obligated to do it and actually doing it are two different things. I'd be willing to bet most companies would sweep it under the rug and cross their fingers no one ever traced the breach back to them.

Re:Use to force 'losers' into warning victims?

[RJFerret]

My bank restructured and had a loss of physical media that was being moved... There was notification, but not sure how "instant", and at first one year of "paid for" credit monitoring service that was increased to two years.

That was a bank (stricter regs). An online service that had their servers broken in to a few years ago didn't notify customers for in uncertain amount of time (month or two?) before requiring changes and longer passwords and restructured their in house network. In that case I would have liked to have known and notified my credit card company sooner, like two hours shy of a month or two sooner! (That company was in California... Makes you think about doing business with companies not under the same expectations as you might have locally...)

Re:Use to force 'losers' into warning victims?

[jambarama]

Depends on the state. Some states have strict notification laws - California & Indiana for example - many don't. You can look up your state here. For companies that cover the whole country, they typically comply with the strictest law to which they are subject, so you often get the benefit of the strictest law. Some states often require more than just notice, they may require you get several free credit reports, a free credit freeze, or some other remedial measure. Some states require immediate notification when a breach is discovered, but most permit or require a delay for law enforcement - theoretically so that law enforcement can catch the baddies before the baddies know they're being pursued. According to InformationWeek, "hard numbers about data breaches are hard to come by . . . [a]ccording to survey of about 300 attendees at this year's RSA Conference, more than 89% of security incidents went unreported in 2007." So who knows how much of it we're actually hearing about. I suppose this website will partially help with under notification.

Re:Use to force 'losers' into warning victims?

[guruevi]

At this moment, the understanding of the federal law is as follow (State law may differ, IANAL):

1. You can store any data pointer on anyone in any format you like (plain text, SQL database, ...) and transfer it any way you like. There are several protected data for Personal Identifiable Information. The usual suspects: Full names, full SSN, drivers license numbers or other photo ID numbers, (mug) pictures, birth dates, addresses, full credit card numbers, employer ID
2. If you encrypt, trim (eg. cut away all but the last 4 digits of an SSN) or obfuscate (ROT-13) the data of any or all of 1. at any point, every item that was encrypted or obfuscated ceases to be protected data. Losing the encrypted data in transfer (sniffing or losing a laptop) it would not be counted towards disclosure.
3. If you lose less than 3 of the data points (eg. a list of names and ssn, names and license numbers, names and addresses) you don't have to notify anybody
4. If you lose 3 or more data points but on several occassions, you don't have to notify anybody. If you know for sure the same party obtained all of the information on several occasions in a similar way, the data should not be able to be connected (eg. using foreign keys, unique identifiers or directories) after the fact.
5. There has to be a central documentation in an organization that keeps track of some or all of the data stores in which such information is stored at what location, what protection it has and what the risk and disclosure procedures should be when that particular part gets lost.
6. All data stores have to have a log and on basis of that log disclosures should be made about data loss. Certain logs (like personal health information under HIPAA) should be made on unalterable media (like WORM devices) but that's not necessary for personal identifiable information or personal credit information

Current problems with the law:
Encryption: it is not specified as to how 'heavy' the encryption is to be; it is not specified what happens if encryption is easily cracked or even what happens if the password was sticky-noted on the keyboard.
Data theft: It is not clear what happens if several entities obtain different information from several sites. If I get your name and SSN from one entity, it doesn't have to be disclosed. If I then use a phonebook or directory to find your address and I can open a credit card with that information, you wouldn't even know.
Theft of point 5: If I can somehow steal the central document (because usually they're also stored somewhere in a database or a document with HR or another pencil-pushing department), I now know all the information about all the data stores and what protections I have to circumvent. I can pick the weakest target which I might previously not have known existence of.
Circumvention of point 6: If I can somehow circumvent or block the system from logging my accesses then the organization wouldn't have to disclose anything even if they knew (or somebody found out) that I was accessing it.

I know there has to be some federal oversight on data loss but all that's currently happening is basically replacing the leaky bucket with a spaghetti strainer and in the mean time it's only enriching organizations that provide 'data protection services' and 'audits'

Re:Use to force 'losers' into warning victims?

[hesaigo999ca]

I always felt there should be consequences fro their actions, being accountable for lost or stolen info....they should be charged for negligence! The more these cases bring big fines, the less they will skimp on security for keeping such info.

Easy fix.

[girlintraining]

We just need to somehow convince people that data is like a young blonde, attractive, girl. I'll even give you a sample police report:

Yesterday evening at 5:04pm, a young and attractive blonde female database was pushed into a UDP connection, which fled the scene shortly after...

Re:Easy fix.

[Lulfas]

I'll steal THAT data!

Re:Easy fix.

[the_bard17]

Forget that... I wanna know how to *copy* it ;o)

Re:Easy fix.

[maxume]

The first step is to steal it.

The next step is to say nice things to it.

Re:Easy fix.

[neomunk]

Heh...

It puts the lotion on it's skin, or it gets rm'd again.

Re:Damn - missed my pet hate

ignorence is blitz I always say...

Dive For Them?

[DynaSoar]

Forget diving for it individually. Let OSF collect and collate, and task someone at /. with gathering and posting a weekly summary. It'd certainly serve a better purpose than "Ignore Mail". It'd bolster OSF's effort because, get serious now, which is going to be read more?

Re:Dive For Them?

[ipX]

Just follow the RSS feed -- you'll find 2 new breaches every day or more! How is that not fun?!

Re:Dive For Them?

[hesaigo999ca]

Actually I would agree having a "geek" review such postings and helping come up with better means for security, the problem is the third parties finding out who this person is ans sending bribes...all to often we see this happen in all walks of life....unless we come up with a cycling method, that nominates people based on their posts/comments, and makes it random enough that it wont know who is next to review the site.

Just post the data

Perhaps, to make it easier for the effected, we should just post the actual data that was lost. Then I could setup a google alert for my SSN/bank account number, and get an email when it's been found.

Because...

[ipX]

"Sunlight is the best disinfectant"?

Re:Damn - missed my pet hate

Kelsey Grammer is a Nazi?

Too many notices!

[Benjamin_Wright]

Data breach notices have a scalability problem. As the number of notices soars, we need to better define what is a serious breach and what is not. Otherwise, the public drowns in breach notices, many of which are insignificant. --Ben http://hack-igations.blogspot.com/2007/12/does-lost-tape-equate-to-lost-data.html

Re:Too many notices!

[jambarama]

Good point, but what is a notice supposed to do anyway? If you notify me and I read the document, great what am I expected to do? Notify the credit bureaus to be on alert - or require extra authentication for new lines of credit, if not a new credit freeze itself (I realize some state laws do this). If someone makes fraudulent purchases on my credit card, CC companies are actually really good at catching it, but if not I report it & I new a new piece of plastic and I don't get stuck with the bill (not directly anyway).

A huge business has evolved around hyping identity theft & selling related services. It isn't that common an issue. The studies done by the industry itself (the Javelin studies) show very low actual costs, minimal levels of identity theft, and the "identity theft" identified is overwhelmingly fraudulent credit card purchases by family members.

ID Analytics did an analysis of data leaked through a lost laptop & found 6 months after the breach there was a 0.0% of fraud. The same study looked at fraud rates for data found in a highly sophisticated fraud ring - including name, address, DOB, SSN, etc. They found the fraud rate was 1 in 1020, practically identical to the ambient fraud rate of non-breached data (which was 1 in 1010). The same study found only 11% of breaches are actually reported.

The choicepoint breach - which garnered the largest FTC fine for data breach ever, with 163,000 individuals affected. Fraud rate 3 years later of those people was 1 in 1244 - slightly better than average. Of the $5M set aside for recovery only $140k was ever used. The GAO did a study in 2007 and found of the 24 largest breaches, only 3 had evidence of misuse of an existing account, and only one had evidence of actual identity theft.

I've made my point. I don't mean to say everything is hunky dory in computer land. Synthetic identity fraud is a big issue - where some real & some fake data is used, so there's no real person to discover the fraud. Botnets & spyware are huge problems. State sponsored technological attacks are worrisome. I just mean to say identity theft is exceptionally rare, and doesn't deserve all the attention it gets. Don't buy the hype, lets look at real issues.

Re:Too many notices!

[Duckie01]

They found the fraud rate was 1 in 1020, practically identical to the ambient fraud rate of non-breached data (which was 1 in 1010).
[...]
Fraud rate 3 years later of those people was 1 in 1244 - slightly better than average.

So what you're saying is that I should give my data to these thugs and *decrease* the chance of fraud? How's that logical? I'd guess the stolen accounts should have at least the same chance of fraud as any other... why does this not add up?

Re:Too many notices!

[plover]

I don't think it's a scalability problem. What are you supposed to do about any particular breach you read about in the news? Worry harder? "Serious" is not a matter of public opinion -- it's a boolean issue to the victims.

DidMyDataGetLeaked() ? MyProblems(serious) : MyProblems(NULL) ;

How does that differ if it happens one time or one million times? It doesn't affect us as a society any differently.

Where scalability makes a difference is in the organization who had the breach. If they have to answer to a single angry customer, they can probably deal with it. If they have to answer to a horde of a million angry customers, they may go out of business. Even that doesn't have a "scalability" problem to society. Either the TV news says "XYZ corp filed for chapter 11 today because an angry horde of customers whose data was leaked sued them into oblivion" or they don't.

There is another place where scalability does matter, and that is in defending against breaches. If I own a restaurant and hear that there's a ring of card skimmers in town, and they've hit 9 restaurants so far, I'd want to take extra measures to avoid becoming the 10th. But that's a matter of geography and modus operandi, not "did they steal 10 or 1000 cards from each?"

Re:Too many notices!

[plover]

Probably because those victims were offered a year of "credit monitoring" and those victims took them up on it. It made them more paranoid than they had been before, so they watched their financial data more carefully, and were perhaps more cautious when using their credit cards. (Of course that doesn't reduce the number of attacks, just the number that are successful, but the data posted is a "fraud rate", and doesn't denote "successful vs. unsuccessful.")

Or maybe many of them closed out a bunch of unused credit accounts to minimize their footprints, which actually did spare them from further breaches.

Re:Too many notices!

[Duckie01]

Probably because those victims were offered a year of "credit monitoring" and those victims took them up on it.

Hmm... credit monitoring (monitoring your credit reports for changes) would increase the chance of detection tho, not decrease the chance of fraud. If the detection rate increases and the chance of fraud is the same, the fraud rate found for the breached data would increase since logically there's only detected fraud in the numbers, not undetected.

It made them more paranoid than they had been before, so they watched their financial data more carefully,

That would have the same effect as the credit monitoring I guess.

and were perhaps more cautious when using their credit cards. (Of course that doesn't reduce the number of attacks, just the number that are successful, but the data posted is a "fraud rate", and doesn't denote "successful vs. unsuccessful.")

Well being more careful might decrease the chance of their cards being abused somewhat indeed...

Or maybe many of them closed out a bunch of unused credit accounts to minimize their footprints, which actually did spare them from further breaches.

... guess that's more likely tho :-) Well if you change "unused" to "unwanted" or something... Unused accounts probably wouldn't have their data stolen in the first place ;-) So people were notified of the breach and closed down accounts... and now these closed accounts are polluting the attackers data... while the "overall fraud rate" only includes working accounts.

I also found the written testimony of ID Analytics these numbers originate from.

It makes an interesting read... there's just so many things affecting the fraud rate. For example, the report estimates it'd take a single person about 10 years to use a million breached accounts. Perhaps this one data set was stolen by a smaller group of attackers. Or just one, and a lazy one at that... ;-)

There's something wrong with the math in the report tho... they estimate: 5 minutes per application, 6.5 hours a day, 5 days a week, 50 days a year. That's 12 applications per hour * 6.5 * 5 * 50 = 19500 applications per year, or roughly 51 years for a single person, not the 10 they write about.

The report then goes on saying that you'd have to hire 51 workers to complete all that in one year -- which actually triggered my curiosity about these numbers because it matches my 51 years but not their 10 ;-) -- which would cost over $830,000 at $10 an hour... quite the operation ;-)

My conclusion is that we can't compare the results of this one study to the overall fraud rate at all. I do agree with jambarama's comment tho that these companies selling credit monitoring services and "fraud protection" try very hard to hype the fraud fear.

Problems

[gmuslera]

Despair saw it coming first

Tip of the iceberg indeed!

[mianne]

Considering that I've received notices of data nreaches at three current or former employers and from two government agencies all of which "may" have involved personal information including my date of birth, social security number, etc. Meanwhile, there's undoubtedly some organizations which have also lost data yet failed to report that fact, plus the likelihood that others have had breaches yet do not have my current contact information. It seems safe to assume that probably every bit of personal identity information for me is now in the public domain.

While I haven't yet become an identity theft victim, it seems like it's only a matter of time. Some agencies have offered 1-year enrollment in a credit monitoring service, others simply recommend that I should make sure to check my credit reports regularly. Gee thanks!

As infuriating as all of that is, what really gets my goat is all of the advice tossed out by many of these same agencies to be sure to shred bank statements before discarding them. While I agree that one shouldn't be careless with their own financial information: 1) it seems more likely that my personal information will be stolen from the very organizations that give me this advice than some neighborhood dumpster diver, and 2) if these agencies were even half as cautious with my information, these incidents would be a rarity.

Re:Tip of the iceberg indeed!

[wmbetts]

You should do what I do to protect myself. It's really simple. First get as many credit cards as you can. If you're feeling lucky get a mortgage too. Then default on ALL of them. I know it seems a little drastic, but hey at least an identity thief can't ruin your credit.

Data Loss Database...

[Lazarian]

"Where do you work?"

"At the Data Loss Database."

"LOL"

Re:Damn - missed my pet hate

[plover]

Kelsey Grammer is a Nazi?

No, it was Kelsey's Gramper.

Why don't agencies improve authentication?

[StandardCell]

The fundamental problem here isn't the data loss (other than a possible loss of privacy), but one of what someone other than the authorized owner of that information can do with it. Credit reporting agencies, property title offices, passport offices, and a whole host of other people need a much stronger form of authentication. These fools have ignored this problem for years, and impose costs not only on the victims but on everyone else due to prosecution, police investigation, etc..

From a practical security perspective, security on data use is really limited to the "something you have" aspect (i.e. your name/SSN/DoB/address), less on the "something you know" and rarely the "something you are" categories. Both government and private industry needs to wake up and start making it much more difficult for people to have anything bad done to them simply because someone uses their data ON TOP of mandating cryptography and security for information (which I deem to be separate concepts).

An idea - digitally sign the hash of a person's fingerprint, retina, signature and a non-obvious PIN (i.e. pictures, phrases, numbers, questions), put the root certificate authority in a government-controlled secure bunker or military base with FIPS 140 secured HSMs and multiple independent layered checks and balances, and use the signature/verification chain for both government and commercial uses.

Re:Why don't agencies improve authentication?

[rdnetto]

From a practical security perspective, security on data use is really limited to the "something you have" aspect (i.e. your name/SSN/DoB/address), less on the "something you know" and rarely the "something you are" categories.

Aren't name/SSN/DoB/address examples of "something you know"? "something you have" typically refers to physical objects such as dongles and cards.

Re:Why don't agencies improve authentication?

SINless in seattle?

Re:Why don't agencies improve authentication?

[maxume]

More precisely, they are examples of non-secret information, which isn't that useful for authentication (really, they are pieces of the very information (identity) that you are trying to authenticate).

Re:Why don't agencies improve authentication?

[mpe]

Aren't name/SSN/DoB/address examples of "something you know"? "something you have" typically refers to physical objects such as dongles and cards.

Rather these are things many people know. Which makes them more suitable as "identifiers" than "authenticators". About the only way such "well known facts" could possibly be usable for authentication would be if fairly obscure ones were picked at random.