Re: [ISN] Dark Day Planning: Insuring Against Data Loss

From: InfoSec News (alerts@private)
Date: Tue Dec 19 2006 - 23:03:19 PST


Forwarded from: security curmudgeon <jericho (at) attrition.org>
Cc: matt_hines (at) ziffdavis.com

: http://www.eweek.com/article2/0,1895,2073528,00.asp
: 
: By Matt Hines
: December 15, 2006
: 
: The list of data breaches involving sensitive personal information 
: maintained by the Privacy Rights Clearinghouse achieved a significant 
: milestone Dec. 13, as the nonprofit group saw the total number of 
: records exposed in such events crest the 100 million mark.

This 100 million figure is getting so many articles it isn't funny. The 
sad part, all of these journalists jumping on the bandwagon are doing 
some pretty shoddy work. The not so fine print at the top of the PRC 
page fairly clearly indicates that a significant amount of their data 
comes from the efforts of attrition / PWR and links to attrition's 
dataloss page. Checking that, we see that 100 million was crossed over 
six months ago. And remember folks, that's just based on the incidents 
that are documented and public.

: Since the PRC first began tracking data losses in February 2005, when 
: consumer data aggregator ChoicePoint reported that fraudsters had 
: gained access to 163,000 consumer records

Speaking of ChoicePoint being a 'watershed' event (PRC wording), it was 
reported that 145,000 records "could be" affected (later said to be 
163,000), yet three months earlier there were 320,000 documents taken 
from Hamilton County Ohio Clerk of Courts, 100,000 from Delta Blood Bank 
four months earlier, and "over 100,000" from Brazos Higher Education 
Service Corp four months earlier, and 145,000 from The University of 
California (UCLA) ten months earlier, and 200,000 from Illinois 
Secretary of State ten months earlier, and "possibly 380,000" from San 
Diego State University eleven months earlier, and 500,000 from PetCo 
almost a year and a half earlier, and *OVER 5 MILLION* credit card 
numbers from DPI in March of 2003 and 562,000 from United States 
Department of Defense / Triwest in Jan of 2003 and for the finale... 
300,000 credit card numbers from CD Universe in Jan of 2000.

So, could anyone please tell me WHY ChoicePoint was a 'watershed' event 
and sparked the (relatively) recent interest in dataloss? And why all 
these clearing houses and experts weren't on this years earlier? And why 
ChoicePoint is some magical cut off when there were significantly larger 
dataloss events years before?


---

http://attrition.org/dataloss/rant/100million.html

100 million... the gloves come off.
Thu Dec 14 20:31:40 EDT 2006
Lyger

I'm going to preface this entire rant with one caveat: I have respect 
for Beth Givens and Privacy Rights Clearinghouse for their efforts to 
promote awareness regarding data breaches that involve personally 
identifying information. I have respect for other groups and entities 
who care enough to report these breaches, analyze them, and provide 
meaningful and insightful commentary and analysis. However:

[..]

That's right, you read it. Attrition and PWR, for the most part, FEED 
PRC'S LIST. Granted, PRC started their list in April of 2005. Attrition 
started its list in June of 2005. At that time, neither PRC nor 
Attrition had any knowledge of the other's efforts. For those of you who 
think the Attrition.org list might have been either "borrowed" from PRC 
or was my idea to begin with, here's a little insider info:

[..]

The Data Loss Database - Open Source has almost 510 events and over 143 
MILLION compromised records as of this writing. 100 million? Dudes and 
dudettes, we had that over six months ago.


_____________________________
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn
 



This archive was generated by hypermail 2.1.3 : Tue Dec 19 2006 - 23:10:46 PST