Forwarded from: security curmudgeon <jericho (at) attrition.org> Cc: matt_hines (at) ziffdavis.com : http://www.eweek.com/article2/0,1895,2073528,00.asp : : By Matt Hines : December 15, 2006 : : The list of data breaches involving sensitive personal information : maintained by the Privacy Rights Clearinghouse achieved a significant : milestone Dec. 13, as the nonprofit group saw the total number of : records exposed in such events crest the 100 million mark. This 100 million figure is getting so many articles it isn't funny. The sad part, all of these journalists jumping on the bandwagon are doing some pretty shoddy work. The not so fine print at the top of the PRC page fairly clearly indicates that a significant amount of their data comes from the efforts of attrition / PWR and links to attrition's dataloss page. Checking that, we see that 100 million was crossed over six months ago. And remember folks, that's just based on the incidents that are documented and public. : Since the PRC first began tracking data losses in February 2005, when : consumer data aggregator ChoicePoint reported that fraudsters had : gained access to 163,000 consumer records Speaking of ChoicePoint being a 'watershed' event (PRC wording), it was reported that 145,000 records "could be" affected (later said to be 163,000), yet three months earlier there were 320,000 documents taken from Hamilton County Ohio Clerk of Courts, 100,000 from Delta Blood Bank four months earlier, and "over 100,000" from Brazos Higher Education Service Corp four months earlier, and 145,000 from The University of California (UCLA) ten months earlier, and 200,000 from Illinois Secretary of State ten months earlier, and "possibly 380,000" from San Diego State University eleven months earlier, and 500,000 from PetCo almost a year and a half earlier, and *OVER 5 MILLION* credit card numbers from DPI in March of 2003 and 562,000 from United States Department of Defense / Triwest in Jan of 2003 and for the finale... 300,000 credit card numbers from CD Universe in Jan of 2000. So, could anyone please tell me WHY ChoicePoint was a 'watershed' event and sparked the (relatively) recent interest in dataloss? And why all these clearing houses and experts weren't on this years earlier? And why ChoicePoint is some magical cut off when there were significantly larger dataloss events years before? --- http://attrition.org/dataloss/rant/100million.html 100 million... the gloves come off. Thu Dec 14 20:31:40 EDT 2006 Lyger I'm going to preface this entire rant with one caveat: I have respect for Beth Givens and Privacy Rights Clearinghouse for their efforts to promote awareness regarding data breaches that involve personally identifying information. I have respect for other groups and entities who care enough to report these breaches, analyze them, and provide meaningful and insightful commentary and analysis. However: [..] That's right, you read it. Attrition and PWR, for the most part, FEED PRC'S LIST. Granted, PRC started their list in April of 2005. Attrition started its list in June of 2005. At that time, neither PRC nor Attrition had any knowledge of the other's efforts. For those of you who think the Attrition.org list might have been either "borrowed" from PRC or was my idea to begin with, here's a little insider info: [..] The Data Loss Database - Open Source has almost 510 events and over 143 MILLION compromised records as of this writing. 100 million? Dudes and dudettes, we had that over six months ago. _____________________________ Subscribe to InfoSec News http://www.infosecnews.org/mailman/listinfo/isn
This archive was generated by hypermail 2.1.3 : Tue Dec 19 2006 - 23:10:46 PST