Data Breach Notices Show Tip of the Iceberg

d2d writes "The Data Loss Database has released a new feature: The Primary Sources Archive, a collection of breach notification letters gathered from various state governments as a result of data breach notification legislation. The documents include breaches that were largely unreported in the media, many of which are significant incidents of data loss. This lends credence to the iceberg theory of data-loss reporting, where many incidents never break the surface. Now, thanks to the Open Security Foundation, we can 'dive' for them."

Re:Some highlights

[TubeSteak]

The problem with data loss is that it isn't a localized problem.
A loss/breach in California can screw over people living in Maine.

Seems to me like a situation that will sooner or later be ripe for Federal regulation or oversight.

Re:Use to force 'losers' into warning victims?

Being legally obligated to do it and actually doing it are two different things. I'd be willing to bet most companies would sweep it under the rug and cross their fingers no one ever traced the breach back to them.

Too many notices!

[Benjamin_Wright]

Data breach notices have a scalability problem. As the number of notices soars, we need to better define what is a serious breach and what is not. Otherwise, the public drowns in breach notices, many of which are insignificant. --Ben http://hack-igations.blogspot.com/2007/12/does-lost-tape-equate-to-lost-data.html

Re:Too many notices!

[jambarama]

Good point, but what is a notice supposed to do anyway? If you notify me and I read the document, great what am I expected to do? Notify the credit bureaus to be on alert - or require extra authentication for new lines of credit, if not a new credit freeze itself (I realize some state laws do this). If someone makes fraudulent purchases on my credit card, CC companies are actually really good at catching it, but if not I report it & I new a new piece of plastic and I don't get stuck with the bill (not directly anyway).

A huge business has evolved around hyping identity theft & selling related services. It isn't that common an issue. The studies done by the industry itself (the Javelin studies) show very low actual costs, minimal levels of identity theft, and the "identity theft" identified is overwhelmingly fraudulent credit card purchases by family members.

ID Analytics did an analysis of data leaked through a lost laptop & found 6 months after the breach there was a 0.0% of fraud. The same study looked at fraud rates for data found in a highly sophisticated fraud ring - including name, address, DOB, SSN, etc. They found the fraud rate was 1 in 1020, practically identical to the ambient fraud rate of non-breached data (which was 1 in 1010). The same study found only 11% of breaches are actually reported.

The choicepoint breach - which garnered the largest FTC fine for data breach ever, with 163,000 individuals affected. Fraud rate 3 years later of those people was 1 in 1244 - slightly better than average. Of the $5M set aside for recovery only $140k was ever used. The GAO did a study in 2007 and found of the 24 largest breaches, only 3 had evidence of misuse of an existing account, and only one had evidence of actual identity theft.

I've made my point. I don't mean to say everything is hunky dory in computer land. Synthetic identity fraud is a big issue - where some real & some fake data is used, so there's no real person to discover the fraud. Botnets & spyware are huge problems. State sponsored technological attacks are worrisome. I just mean to say identity theft is exceptionally rare, and doesn't deserve all the attention it gets. Don't buy the hype, lets look at real issues.