Data Breach Notices Show Tip of the Iceberg 50
d2d writes "The Data Loss Database has released a new feature: The Primary Sources Archive, a collection of breach notification letters gathered from various state governments as a result of data breach notification legislation. The documents include breaches that were largely unreported in the media, many of which are significant incidents of data loss. This lends credence to the iceberg theory of data-loss reporting, where many incidents never break the surface. Now, thanks to the Open Security Foundation, we can 'dive' for them."
Re:Some highlights (Score:5, Insightful)
The problem with data loss is that it isn't a localized problem.
A loss/breach in California can screw over people living in Maine.
Seems to me like a situation that will sooner or later be ripe for Federal regulation or oversight.
Re:Use to force 'losers' into warning victims? (Score:3, Insightful)
Too many notices! (Score:4, Insightful)
Re:Too many notices! (Score:4, Insightful)
A huge business has evolved around hyping identity theft & selling related services. It isn't that common an issue. The studies done by the industry itself (the Javelin studies) show very low actual costs, minimal levels of identity theft, and the "identity theft" identified is overwhelmingly fraudulent credit card purchases by family members.
ID Analytics did an analysis of data leaked through a lost laptop & found 6 months after the breach there was a 0.0% of fraud. The same study looked at fraud rates for data found in a highly sophisticated fraud ring - including name, address, DOB, SSN, etc. They found the fraud rate was 1 in 1020, practically identical to the ambient fraud rate of non-breached data (which was 1 in 1010). The same study found only 11% of breaches are actually reported.
The choicepoint breach - which garnered the largest FTC fine for data breach ever, with 163,000 individuals affected. Fraud rate 3 years later of those people was 1 in 1244 - slightly better than average. Of the $5M set aside for recovery only $140k was ever used. The GAO did a study in 2007 and found of the 24 largest breaches, only 3 had evidence of misuse of an existing account, and only one had evidence of actual identity theft.
I've made my point. I don't mean to say everything is hunky dory in computer land. Synthetic identity fraud is a big issue - where some real & some fake data is used, so there's no real person to discover the fraud. Botnets & spyware are huge problems. State sponsored technological attacks are worrisome. I just mean to say identity theft is exceptionally rare, and doesn't deserve all the attention it gets. Don't buy the hype, lets look at real issues.