Slashdot Mirror

← Back to Stories (view on slashdot.org)

Data Breach Notices Show Tip of the Iceberg

Posted by kdawson on from the data-diving dept.

d2d writes "The Data Loss Database has released a new feature: The Primary Sources Archive, a collection of breach notification letters gathered from various state governments as a result of data breach notification legislation. The documents include breaches that were largely unreported in the media, many of which are significant incidents of data loss. This lends credence to the iceberg theory of data-loss reporting, where many incidents never break the surface. Now, thanks to the Open Security Foundation, we can 'dive' for them."

18 of 50 comments (clear)

  1. Some highlights by alain94040 · · Score: 5, Informative

    Some of my favorite highlights from recent incidents (I know, I shouldn't RTFM):

    Names and Social Security numbers of at least 250,000 found through search engine
    Date: 2008-12-02
    Organizations: Florida Agency for Workforce Innovation

    I guess there are many different ways you an innovate...

    Social Security numbers of 341 posted on web
    Date: 2008-12-04
    Organizations: Economic Research Institute

    If it's for research, then it's ok to post on the web...

    Stolen laptop contains names and Social Security numbers of "several thousand " employees
    Date: 2008-12-11
    Organizations: Hewlett-Packard

    If you thought only small time loser organizations like the first two on my list where subject to embarrassing data loss, that one would set you straight.

    --
    http://fairsoftware.net/ -- Software Bill Of Rights

    1. Re:Some highlights by TubeSteak · · Score: 4, Insightful

      The problem with data loss is that it isn't a localized problem.
      A loss/breach in California can screw over people living in Maine.

      Seems to me like a situation that will sooner or later be ripe for Federal regulation or oversight.

      --
      [Fuck Beta]
      o0t!
    2. Re:Some highlights by tubapro12 · · Score: 3, Funny

      I've been awake for over 40 hours now, but did anyone else think of data loss caused by icebergs when they read the title?

    3. Re:Some highlights by Gerzel · · Score: 2, Interesting

      Three can keep a secret if two are dead.

      Franklin, go Ben!

  2. Use to force 'losers' into warning victims? by Bearhouse · · Score: 3, Interesting

    I've always wondered if the organisations that 'lose' data such as SS#s are diligent in warning potential victims of identity theft etc.

    Totally ignorent in this area - perhaps someone here could clarify. What, if any, are the obligations of an organisation that holds sensitive data about you to inform you of it's potential or real loss?

    Seems that this is a start, but it's still 'passive'. Some kind of active warning system would be better... After all, if someone's stolen my bank details and passwords, I'd really like to know, fast.

    1. Re:Use to force 'losers' into warning victims? by Daffy+Duck · · Score: 3, Informative

      Many (more than half?) states in the US have laws that require companies/institutions to report the loss of this kind of data. The first obligation is to report the loss to the subjects of the data so they can take steps to protect themselves.

    2. Re:Use to force 'losers' into warning victims? by Anonymous Coward · · Score: 3, Insightful

      Being legally obligated to do it and actually doing it are two different things. I'd be willing to bet most companies would sweep it under the rug and cross their fingers no one ever traced the breach back to them.

    3. Re:Use to force 'losers' into warning victims? by jambarama · · Score: 2, Informative

      Depends on the state. Some states have strict notification laws - California & Indiana for example - many don't. You can look up your state here. For companies that cover the whole country, they typically comply with the strictest law to which they are subject, so you often get the benefit of the strictest law. Some states often require more than just notice, they may require you get several free credit reports, a free credit freeze, or some other remedial measure. Some states require immediate notification when a breach is discovered, but most permit or require a delay for law enforcement - theoretically so that law enforcement can catch the baddies before the baddies know they're being pursued. According to InformationWeek, "hard numbers about data breaches are hard to come by . . . [a]ccording to survey of about 300 attendees at this year's RSA Conference, more than 89% of security incidents went unreported in 2007." So who knows how much of it we're actually hearing about. I suppose this website will partially help with under notification.

  3. Easy fix. by girlintraining · · Score: 4, Funny

    We just need to somehow convince people that data is like a young blonde, attractive, girl. I'll even give you a sample police report:

    Yesterday evening at 5:04pm, a young and attractive blonde female database was pushed into a UDP connection, which fled the scene shortly after...

    --
    #fuckbeta #iamslashdot #dicemustdie
    1. Re:Easy fix. by maxume · · Score: 3, Funny

      The first step is to steal it.

      The next step is to say nice things to it.

      --
      Nerd rage is the funniest rage.
  4. Re:Dive For Them? by ipX · · Score: 2, Informative

    Just follow the RSS feed -- you'll find 2 new breaches every day or more! How is that not fun?!

  5. Too many notices! by Benjamin_Wright · · Score: 4, Insightful

    Data breach notices have a scalability problem. As the number of notices soars, we need to better define what is a serious breach and what is not. Otherwise, the public drowns in breach notices, many of which are insignificant. --Ben http://hack-igations.blogspot.com/2007/12/does-lost-tape-equate-to-lost-data.html

    --
    Benjamin Wright, Dallas, Texas, benjaminwright.us
    1. Re:Too many notices! by jambarama · · Score: 3, Insightful

      Good point, but what is a notice supposed to do anyway? If you notify me and I read the document, great what am I expected to do? Notify the credit bureaus to be on alert - or require extra authentication for new lines of credit, if not a new credit freeze itself (I realize some state laws do this). If someone makes fraudulent purchases on my credit card, CC companies are actually really good at catching it, but if not I report it & I new a new piece of plastic and I don't get stuck with the bill (not directly anyway).

      A huge business has evolved around hyping identity theft & selling related services. It isn't that common an issue. The studies done by the industry itself (the Javelin studies) show very low actual costs, minimal levels of identity theft, and the "identity theft" identified is overwhelmingly fraudulent credit card purchases by family members.

      ID Analytics did an analysis of data leaked through a lost laptop & found 6 months after the breach there was a 0.0% of fraud. The same study looked at fraud rates for data found in a highly sophisticated fraud ring - including name, address, DOB, SSN, etc. They found the fraud rate was 1 in 1020, practically identical to the ambient fraud rate of non-breached data (which was 1 in 1010). The same study found only 11% of breaches are actually reported.

      The choicepoint breach - which garnered the largest FTC fine for data breach ever, with 163,000 individuals affected. Fraud rate 3 years later of those people was 1 in 1244 - slightly better than average. Of the $5M set aside for recovery only $140k was ever used. The GAO did a study in 2007 and found of the 24 largest breaches, only 3 had evidence of misuse of an existing account, and only one had evidence of actual identity theft.

      I've made my point. I don't mean to say everything is hunky dory in computer land. Synthetic identity fraud is a big issue - where some real & some fake data is used, so there's no real person to discover the fraud. Botnets & spyware are huge problems. State sponsored technological attacks are worrisome. I just mean to say identity theft is exceptionally rare, and doesn't deserve all the attention it gets. Don't buy the hype, lets look at real issues.

    2. Re:Too many notices! by plover · · Score: 2, Interesting

      Probably because those victims were offered a year of "credit monitoring" and those victims took them up on it. It made them more paranoid than they had been before, so they watched their financial data more carefully, and were perhaps more cautious when using their credit cards. (Of course that doesn't reduce the number of attacks, just the number that are successful, but the data posted is a "fraud rate", and doesn't denote "successful vs. unsuccessful.")

      Or maybe many of them closed out a bunch of unused credit accounts to minimize their footprints, which actually did spare them from further breaches.

      --
      John
  6. Problems by gmuslera · · Score: 2, Funny

    Despair saw it coming first

  7. Tip of the iceberg indeed! by mianne · · Score: 3, Interesting

    Considering that I've received notices of data nreaches at three current or former employers and from two government agencies all of which "may" have involved personal information including my date of birth, social security number, etc. Meanwhile, there's undoubtedly some organizations which have also lost data yet failed to report that fact, plus the likelihood that others have had breaches yet do not have my current contact information. It seems safe to assume that probably every bit of personal identity information for me is now in the public domain.

    While I haven't yet become an identity theft victim, it seems like it's only a matter of time. Some agencies have offered 1-year enrollment in a credit monitoring service, others simply recommend that I should make sure to check my credit reports regularly. Gee thanks!

    As infuriating as all of that is, what really gets my goat is all of the advice tossed out by many of these same agencies to be sure to shred bank statements before discarding them. While I agree that one shouldn't be careless with their own financial information: 1) it seems more likely that my personal information will be stolen from the very organizations that give me this advice than some neighborhood dumpster diver, and 2) if these agencies were even half as cautious with my information, these incidents would be a rarity.

    --
    Javascript, cookies, flash, and ActiveX must be enabled in order to view this sig.
    1. Re:Tip of the iceberg indeed! by wmbetts · · Score: 2, Funny

      You should do what I do to protect myself. It's really simple. First get as many credit cards as you can. If you're feeling lucky get a mortgage too. Then default on ALL of them. I know it seems a little drastic, but hey at least an identity thief can't ruin your credit.

      --
      "Ubuntu" -- an African word, meaning "Slackware is too hard for me". - stolen from Dan C alt.os.linux.slackware
  8. Why don't agencies improve authentication? by StandardCell · · Score: 3, Interesting

    The fundamental problem here isn't the data loss (other than a possible loss of privacy), but one of what someone other than the authorized owner of that information can do with it. Credit reporting agencies, property title offices, passport offices, and a whole host of other people need a much stronger form of authentication. These fools have ignored this problem for years, and impose costs not only on the victims but on everyone else due to prosecution, police investigation, etc..

    From a practical security perspective, security on data use is really limited to the "something you have" aspect (i.e. your name/SSN/DoB/address), less on the "something you know" and rarely the "something you are" categories. Both government and private industry needs to wake up and start making it much more difficult for people to have anything bad done to them simply because someone uses their data ON TOP of mandating cryptography and security for information (which I deem to be separate concepts).

    An idea - digitally sign the hash of a person's fingerprint, retina, signature and a non-obvious PIN (i.e. pictures, phrases, numbers, questions), put the root certificate authority in a government-controlled secure bunker or military base with FIPS 140 secured HSMs and multiple independent layered checks and balances, and use the signature/verification chain for both government and commercial uses.