Data Breach Notices Show Tip of the Iceberg

d2d writes "The Data Loss Database has released a new feature: The Primary Sources Archive, a collection of breach notification letters gathered from various state governments as a result of data breach notification legislation. The documents include breaches that were largely unreported in the media, many of which are significant incidents of data loss. This lends credence to the iceberg theory of data-loss reporting, where many incidents never break the surface. Now, thanks to the Open Security Foundation, we can 'dive' for them."

Some highlights

[alain94040]

Some of my favorite highlights from recent incidents (I know, I shouldn't RTFM):

Names and Social Security numbers of at least 250,000 found through search engine
Date: 2008-12-02
Organizations: Florida Agency for Workforce Innovation

I guess there are many different ways you an innovate...

Social Security numbers of 341 posted on web
Date: 2008-12-04
Organizations: Economic Research Institute

If it's for research, then it's ok to post on the web...

Stolen laptop contains names and Social Security numbers of "several thousand " employees
Date: 2008-12-11
Organizations: Hewlett-Packard

If you thought only small time loser organizations like the first two on my list where subject to embarrassing data loss, that one would set you straight.

--
http://fairsoftware.net/ [fairsoftware.net] -- Software Bill Of Rights

Re:Some highlights

[TubeSteak]

The problem with data loss is that it isn't a localized problem.
A loss/breach in California can screw over people living in Maine.

Seems to me like a situation that will sooner or later be ripe for Federal regulation or oversight.

Re:Some highlights

[tubapro12]

I've been awake for over 40 hours now, but did anyone else think of data loss caused by icebergs when they read the title?

Re:

[SleepingWaterBear]

Yes. [slashdot.org]

Re:

[DiegoBravo]

When I read "data loss", I think more of unrecoverable information (like crashed hard disks without backups, or forgetting passwords.) But the problem here seems to be more about "uncontrolled copies".

>> Seems to me like a situation that will sooner or later be ripe for Federal regulation or oversight.

At least in some domains, it is already. PCI for example puts restrictions for the duplication of sensitive data, and adds requirements forcing encription.

Re:

[Gerzel]

Three can keep a secret if two are dead.

Franklin, go Ben!

Re:

[docgiggles]

This is an field that the U.S. needs to spend money on NOW. They need to fix, regulate, and upgrade all of their systems in order to keep from being annihilated. The U.S. is not even competitive digitally anymore, because our politicians do not seem to realize the massive role it plays in our daily life. Hopefully Obama will remedy this, but who knows?

Use to force 'losers' into warning victims?

[Bearhouse]

I've always wondered if the organisations that 'lose' data such as SS#s are diligent in warning potential victims of identity theft etc.

Totally ignorent in this area - perhaps someone here could clarify. What, if any, are the obligations of an organisation that holds sensitive data about you to inform you of it's potential or real loss?

Seems that this is a start, but it's still 'passive'. Some kind of active warning system would be better... After all, if someone's stolen my bank details and passwords, I'd really like to know, fast.

Re:Use to force 'losers' into warning victims?

[Daffy Duck]

Many (more than half?) states in the US have laws that require companies/institutions to report the loss of this kind of data. The first obligation is to report the loss to the subjects of the data so they can take steps to protect themselves.

Re:

[Bearhouse]

Thx

Re:

[Anonymous Coward]

Being legally obligated to do it and actually doing it are two different things. I'd be willing to bet most companies would sweep it under the rug and cross their fingers no one ever traced the breach back to them.

Why don't agencies improve authentication?

[StandardCell]

The fundamental problem here isn't the data loss (other than a possible loss of privacy), but one of what someone other than the authorized owner of that information can do with it. Credit reporting agencies, property title offices, passport offices, and a whole host of other people need a much stronger form of authentication. These fools have ignored this problem for years, and impose costs not only on the victims but on everyone else due to prosecution, police investigation, etc..

From a practical security perspective, security on data use is really limited to the "something you have" aspect (i.e. your name/SSN/DoB/address), less on the "something you know" and rarely the "something you are" categories. Both government and private industry needs to wake up and start making it much more difficult for people to have anything bad done to them simply because someone uses their data ON TOP of mandating cryptography and security for information (which I deem to be separate concepts).

An idea - digitally sign the hash of a person's fingerprint, retina, signature and a non-obvious PIN (i.e. pictures, phrases, numbers, questions), put the root certificate authority in a government-controlled secure bunker or military base with FIPS 140 secured HSMs and multiple independent layered checks and balances, and use the signature/verification chain for both government and commercial uses.

Re:

[rdnetto]

From a practical security perspective, security on data use is really limited to the "something you have" aspect (i.e. your name/SSN/DoB/address), less on the "something you know" and rarely the "something you are" categories.

Aren't name/SSN/DoB/address examples of "something you know"? "something you have" typically refers to physical objects such as dongles and cards.

Re:

[maxume]

More precisely, they are examples of non-secret information, which isn't that useful for authentication (really, they are pieces of the very information (identity) that you are trying to authenticate).

Re:

[mpe]

Aren't name/SSN/DoB/address examples of "something you know"? "something you have" typically refers to physical objects such as dongles and cards.

Rather these are things many people know. Which makes them more suitable as "identifiers" than "authenticators". About the only way such "well known facts" could possibly be usable for authentication would be if fairly obscure ones were picked at random.

Re:

[RJFerret]

My bank restructured and had a loss of physical media that was being moved... There was notification, but not sure how "instant", and at first one year of "paid for" credit monitoring service that was increased to two years.

That was a bank (stricter regs). An online service that had their servers broken in to a few years ago didn't notify customers for in uncertain amount of time (month or two?) before requiring changes and longer passwords and restructured their in house network. In that case I would ha

Re:

[jambarama]

Depends on the state. Some states have strict notification laws - California & Indiana for example - many don't. You can look up your state here. [ncsl.org] For companies that cover the whole country, they typically comply with the strictest law to which they are subject, so you often get the benefit of the strictest law. Some states often require more than just notice, they may require you get several free credit reports, a free credit freeze, or some other remedial measure. Some states require immediate not

Re:

[guruevi]

At this moment, the understanding of the federal law is as follow (State law may differ, IANAL):

1. You can store any data pointer on anyone in any format you like (plain text, SQL database, ...) and transfer it any way you like. There are several protected data for Personal Identifiable Information. The usual suspects: Full names, full SSN, drivers license numbers or other photo ID numbers, (mug) pictures, birth dates, addresses, full credit card numbers, employer ID
2. If you encrypt, trim (eg. cut away all

Re:

[hesaigo999ca]

I always felt there should be consequences fro their actions, being accountable for lost or stolen info....they should be charged for negligence! The more these cases bring big fines, the less they will skimp on security for keeping such info.

Re:

[plover]

Kelsey Grammer is a Nazi?

No, it was Kelsey's Gramper.

Easy fix.

[girlintraining]

We just need to somehow convince people that data is like a young blonde, attractive, girl. I'll even give you a sample police report:

Yesterday evening at 5:04pm, a young and attractive blonde female database was pushed into a UDP connection, which fled the scene shortly after...

Re:

[Lulfas]

I'll steal THAT data!

Re:

[the_bard17]

Forget that... I wanna know how to *copy* it ;o)

Re:

[maxume]

The first step is to steal it.

The next step is to say nice things to it.

Re:

[neomunk]

Heh...

It puts the lotion on it's skin, or it gets rm'd again.

Dive For Them?

[DynaSoar]

Forget diving for it individually. Let OSF collect and collate, and task someone at /. with gathering and posting a weekly summary. It'd certainly serve a better purpose than "Ignore Mail". It'd bolster OSF's effort because, get serious now, which is going to be read more?

Re:

[ipX]

Just follow the RSS feed [datalossdb.org] -- you'll find 2 new breaches every day or more! How is that not fun?!

Re:

[hesaigo999ca]

Actually I would agree having a "geek" review such postings and helping come up with better means for security, the problem is the third parties finding out who this person is ans sending bribes...all to often we see this happen in all walks of life....unless we come up with a cycling method, that nominates people based on their posts/comments, and makes it random enough that it wont know who is next to review the site.

Because...

[ipX]

"Sunlight is the best disinfectant"?

Too many notices!

[Benjamin_Wright]

Data breach notices have a scalability problem. As the number of notices soars, we need to better define what is a serious breach and what is not. Otherwise, the public drowns in breach notices, many of which are insignificant. --Ben http://hack-igations.blogspot.com/2007/12/does-lost-tape-equate-to-lost-data.html [blogspot.com]

Re:Too many notices!

[jambarama]

Good point, but what is a notice supposed to do anyway? If you notify me and I read the document, great what am I expected to do? Notify the credit bureaus to be on alert - or require extra authentication for new lines of credit, if not a new credit freeze itself (I realize some state laws do this). If someone makes fraudulent purchases on my credit card, CC companies are actually really good at catching it, but if not I report it & I new a new piece of plastic and I don't get stuck with the bill (not directly anyway).

A huge business has evolved around hyping identity theft & selling related services. It isn't that common an issue. The studies done by the industry itself (the Javelin studies) show very low actual costs, minimal levels of identity theft, and the "identity theft" identified is overwhelmingly fraudulent credit card purchases by family members.

ID Analytics did an analysis of data leaked through a lost laptop & found 6 months after the breach there was a 0.0% of fraud. The same study looked at fraud rates for data found in a highly sophisticated fraud ring - including name, address, DOB, SSN, etc. They found the fraud rate was 1 in 1020, practically identical to the ambient fraud rate of non-breached data (which was 1 in 1010). The same study found only 11% of breaches are actually reported.

The choicepoint breach - which garnered the largest FTC fine for data breach ever, with 163,000 individuals affected. Fraud rate 3 years later of those people was 1 in 1244 - slightly better than average. Of the $5M set aside for recovery only $140k was ever used. The GAO did a study in 2007 and found of the 24 largest breaches, only 3 had evidence of misuse of an existing account, and only one had evidence of actual identity theft.

I've made my point. I don't mean to say everything is hunky dory in computer land. Synthetic identity fraud is a big issue - where some real & some fake data is used, so there's no real person to discover the fraud. Botnets & spyware are huge problems. State sponsored technological attacks are worrisome. I just mean to say identity theft is exceptionally rare, and doesn't deserve all the attention it gets. Don't buy the hype, lets look at real issues.

Re:

[Duckie01]

They found the fraud rate was 1 in 1020, practically identical to the ambient fraud rate of non-breached data (which was 1 in 1010).
[...]
Fraud rate 3 years later of those people was 1 in 1244 - slightly better than average.

So what you're saying is that I should give my data to these thugs and *decrease* the chance of fraud? How's that logical? I'd guess the stolen accounts should have at least the same chance of fraud as any other... why does this not add up?

Re:

[plover]

Probably because those victims were offered a year of "credit monitoring" and those victims took them up on it. It made them more paranoid than they had been before, so they watched their financial data more carefully, and were perhaps more cautious when using their credit cards. (Of course that doesn't reduce the number of attacks, just the number that are successful, but the data posted is a "fraud rate", and doesn't denote "successful vs. unsuccessful.")

Or maybe many of them closed out a bunch of un

Re:

[Duckie01]

Probably because those victims were offered a year of "credit monitoring" and those victims took them up on it.

Hmm... credit monitoring (monitoring your credit reports for changes) would increase the chance of detection tho, not decrease the chance of fraud. If the detection rate increases and the chance of fraud is the same, the fraud rate found for the breached data would increase since logically there's only detected fraud in the numbers, not undetected.

It made them more paranoid than they had been before, so they watched their financial data more carefully,

That would have the same effect as the credit monitoring I guess.

and were perhaps more cautious when using their credit cards. (Of course that doesn't reduce the number of attacks, just the number that are successful, but the data posted is a "fraud rate", and doesn't denote "successful vs. unsuccessful.")

Well being more careful might decrease the chance of their cards being abused somewhat indeed...

Re:

[plover]

I don't think it's a scalability problem. What are you supposed to do about any particular breach you read about in the news? Worry harder? "Serious" is not a matter of public opinion -- it's a boolean issue to the victims.

DidMyDataGetLeaked() ? MyProblems(serious) : MyProblems(NULL) ;

How does that differ if it happens one time or one million times? It doesn't affect us as a society any differently.

Where scalability makes a difference is in the organization who had the breach. If they have t

Problems

[gmuslera]

Despair [despair.com] saw it coming first

Tip of the iceberg indeed!

[mianne]

Considering that I've received notices of data nreaches at three current or former employers and from two government agencies all of which "may" have involved personal information including my date of birth, social security number, etc. Meanwhile, there's undoubtedly some organizations which have also lost data yet failed to report that fact, plus the likelihood that others have had breaches yet do not have my current contact information. It seems safe to assume that probably every bit of personal identity information for me is now in the public domain.

While I haven't yet become an identity theft victim, it seems like it's only a matter of time. Some agencies have offered 1-year enrollment in a credit monitoring service, others simply recommend that I should make sure to check my credit reports regularly. Gee thanks!

As infuriating as all of that is, what really gets my goat is all of the advice tossed out by many of these same agencies to be sure to shred bank statements before discarding them. While I agree that one shouldn't be careless with their own financial information: 1) it seems more likely that my personal information will be stolen from the very organizations that give me this advice than some neighborhood dumpster diver, and 2) if these agencies were even half as cautious with my information, these incidents would be a rarity.

Re:

[wmbetts]

You should do what I do to protect myself. It's really simple. First get as many credit cards as you can. If you're feeling lucky get a mortgage too. Then default on ALL of them. I know it seems a little drastic, but hey at least an identity thief can't ruin your credit.

Data Loss Database...

[Lazarian]

"Where do you work?"

"At the Data Loss Database."

"LOL"