Please create an account to participate in the Slashdot moderation system

 


Forgot your password?
Close
typodupeerror
×
Privacy Security

Data Breach Notices Show Tip of the Iceberg 50

Posted by kdawson from the data-diving dept.
d2d writes "The Data Loss Database has released a new feature: The Primary Sources Archive, a collection of breach notification letters gathered from various state governments as a result of data breach notification legislation. The documents include breaches that were largely unreported in the media, many of which are significant incidents of data loss. This lends credence to the iceberg theory of data-loss reporting, where many incidents never break the surface. Now, thanks to the Open Security Foundation, we can 'dive' for them."
This discussion has been archived. No new comments can be posted.

Data Breach Notices Show Tip of the Iceberg More

Data Breach Notices Show Tip of the Iceberg

Comments Filter:

  • Use to force 'losers' into warning victims? (Score:4, Interesting)

    by Bearhouse ( 1034238 ) on Tuesday December 16, 2008 @08:48PM (#26140153)

    I've always wondered if the organisations that 'lose' data such as SS#s are diligent in warning potential victims of identity theft etc.

    Totally ignorent in this area - perhaps someone here could clarify. What, if any, are the obligations of an organisation that holds sensitive data about you to inform you of it's potential or real loss?

    Seems that this is a start, but it's still 'passive'. Some kind of active warning system would be better... After all, if someone's stolen my bank details and passwords, I'd really like to know, fast.

  • Re:Some highlights (Score:3, Interesting)

    by Gerzel ( 240421 ) <brollyferret@gmail . c om> on Tuesday December 16, 2008 @11:24PM (#26141365) Journal

    Three can keep a secret if two are dead.

    Franklin, go Ben!

  • Tip of the iceberg indeed! (Score:3, Interesting)

    by mianne ( 965568 ) on Tuesday December 16, 2008 @11:46PM (#26141515)

    Considering that I've received notices of data nreaches at three current or former employers and from two government agencies all of which "may" have involved personal information including my date of birth, social security number, etc. Meanwhile, there's undoubtedly some organizations which have also lost data yet failed to report that fact, plus the likelihood that others have had breaches yet do not have my current contact information. It seems safe to assume that probably every bit of personal identity information for me is now in the public domain.

    While I haven't yet become an identity theft victim, it seems like it's only a matter of time. Some agencies have offered 1-year enrollment in a credit monitoring service, others simply recommend that I should make sure to check my credit reports regularly. Gee thanks!

    As infuriating as all of that is, what really gets my goat is all of the advice tossed out by many of these same agencies to be sure to shred bank statements before discarding them. While I agree that one shouldn't be careless with their own financial information: 1) it seems more likely that my personal information will be stolen from the very organizations that give me this advice than some neighborhood dumpster diver, and 2) if these agencies were even half as cautious with my information, these incidents would be a rarity.

  • Why don't agencies improve authentication? (Score:4, Interesting)

    by StandardCell ( 589682 ) on Wednesday December 17, 2008 @01:25AM (#26142099)
    The fundamental problem here isn't the data loss (other than a possible loss of privacy), but one of what someone other than the authorized owner of that information can do with it. Credit reporting agencies, property title offices, passport offices, and a whole host of other people need a much stronger form of authentication. These fools have ignored this problem for years, and impose costs not only on the victims but on everyone else due to prosecution, police investigation, etc..

    From a practical security perspective, security on data use is really limited to the "something you have" aspect (i.e. your name/SSN/DoB/address), less on the "something you know" and rarely the "something you are" categories. Both government and private industry needs to wake up and start making it much more difficult for people to have anything bad done to them simply because someone uses their data ON TOP of mandating cryptography and security for information (which I deem to be separate concepts).

    An idea - digitally sign the hash of a person's fingerprint, retina, signature and a non-obvious PIN (i.e. pictures, phrases, numbers, questions), put the root certificate authority in a government-controlled secure bunker or military base with FIPS 140 secured HSMs and multiple independent layered checks and balances, and use the signature/verification chain for both government and commercial uses.

  • Re:Too many notices! (Score:3, Interesting)

    by plover ( 150551 ) * on Wednesday December 17, 2008 @09:08AM (#26143995) Homepage Journal

    Probably because those victims were offered a year of "credit monitoring" and those victims took them up on it. It made them more paranoid than they had been before, so they watched their financial data more carefully, and were perhaps more cautious when using their credit cards. (Of course that doesn't reduce the number of attacks, just the number that are successful, but the data posted is a "fraud rate", and doesn't denote "successful vs. unsuccessful.")

    Or maybe many of them closed out a bunch of unused credit accounts to minimize their footprints, which actually did spare them from further breaches.

Slashdot Top Deals

Waste not, get your budget cut next year.

Close