Schneier on Security
A blog covering security and security technology.
« U.S. Navy Patents Firewall |
| Friday Squid Blogging: Squid Cares for its Young »
July 7, 2006
A Chronology of Data Breaches
Here's a chronology of data breaches since the ChoicePoint theft in February 2005.
Total identities stolen: 88,794,619. Although, almost certainly, many names are on that list multiple times.
Posted on July 7, 2006 at 12:48 PM
• 19 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I want a "Schneier for President" bumper sticker.
Someone *please* explain to me why people are continuously allowed to put this sort of data on a mobile computing device.
@pat--Someone *please* explain to me why people are continuously allowed to put this sort of data on a mobile computing device.
Physically stolen laptops are only a small portion of that list. The issue is much larger than that.
> Physically stolen laptops are only a small portion of that list
Agreed. They are, however, a symptom of the mindset that leads to the larger issue - "I need access to that data!"
Most of these would vanish with anything resembling a decent data access and storage policy. I would imagine even a large percentage of those "insider" events and "hacking" events would be minimized or non-events if the insiders (or hacked accounts) didn't have access to the data that they don't actually need or shouldn't have.
I don't have the time to do it right now, but it would be interesting to see what the breakdown is by 'type of breach' - theft of equipment, hacking, malicious insider, accident/negligence (such as 'exposed by email' and 'posted on website'), unknown, etc. It's also worth pointing out that one breach (CardSystems) accounts for 40mm of the 88.7mm records, which would substantially skew the breakdown I mention above towards 'hacking' as a cause.
Bruce mentions that many names are probably on multiple lists. Agreed. But the implication shouldn't be that the number is therefore an overestimate. It is most likely a vast underestimate, for several reasons (eg, only orgs that are required to disclose these losses do so, many losses aren't even detected, and if they are detected and must be disclosed, the chance of the org having an accurate inventory of what was lost is slim, etc.).
"Data records stolen" not "identities stolen". I don't think you would consider an identity stolen until someone poses as that person.
Consider, too, that a number of those incidents list the count as "unknown."
If the Social Security Administration published everyone's SSN and name, then no organization could use the Social Security Number as if it were a "secret password" that granted access to account information or verified identity and individuals would not have to protect it or worry about it being "lost" or "stolen".
Given the fact that there's only about 260 million citizens in the US, I think 88 million identity "breaches" (even if there are multiple double-ups) already means that SSN and name can be discounted as a "secret password".
Now we just need some court to enforce that...
Haven't any of these organisations heard of encryption? And this is just a list for the USA - what about Europe - Asia?
Quinlan has a point.
Proposing a law requiring this to happen might have good effects: if the privacy outcry was great enough _against_ it, we might see (more, better) pro-privacy legislation.
And if there was no outcry, well, hey, then, problem solved. Sorta.
James - I don't know about Asia, but in Europe the equivilent of a Social Security Number isn't used as identification. The credit bureaus assign their own unique identifiers to individuals in their databases. That reduces the ability to "steal" a person's identity by acquiring a single piece of information.
Here is one article: http://moneycentral.msn.com/content/Banking/...
Also, in some Eastern European countries, _good_ credit histories are generally not revealed/published by creditors. On the other hand, a database of known credit risks (and the background of how people made it to the database) can be shared between financial institutions. So the identities on this semi-public list are in wider circulation, but one does not want to steal an identity from the list.
Here is the summary for the Hungarian system:
other new EU members have similar organizations. This is the most important sentence:
"An amendment to ... laid the legal foundations for the right of reporting _negative_ credit information about natural persons as credit debtors."
@Michael - outstanding idea, except for 2 problems.
1) Even if you published the entire SSAN database (do they still print "not for identification purposes" on the SS card, which you have to show to prove who you are?) it would be 8 years or more before the GOVERNMENT stopped using it as a key, some companies would NEVER stop.
2)Those companies that DID make the change would be unable to compete because the 100% increase in (total) staff they would have to incur for the "what is my new account number again?" calls would put them at a competitive disadvantage and they would go out of business.
Americans are not smart enough to remember more than... ooh, look a caterpillar.
We should have a poll: what is the most insidious threat, identity theft or shark attacks? Snakes on a plane, anyone?
John, attrition.org has this data and tracks it in more detail, including type of information lost, categorizes who lost it and has considerably more incidents, especially before the ChoicePoint loss. In the coming months, the database will be available to everyone and contain even more fields that should make the data more meaningful.
That’s a surprisingly low number of internal attacks. According to my analysis of this list, only 36% of these cases were the fault of current or former employees (including internal user error including loss, internal user attack, and former employee attack).
This contrasts the Enterprise Strategy Group and Vormetric studies (http://tinyurl.com/lz783), which indicate that 60% of data breaches were from internal attacks. In addition, a Microsoft survey (http://tinyurl.com/lrb4q) showed that 22% of UK employees illegally accessed sensitive internal data and 54% said they would if they could. Deloitte & Touche (http://tinyurl.com/jreb2) also show that internal attacks are the biggest risk.
How accurate are the Privacy Rights Clearinghouse reports?
It should be pointed out that the PRC list/report, as well as the attrition.org breach list/data, only contain data if a breach was either reported through the media or to the list maintainers themselves. The studies you list above may likely contain data that has not been released to the media (for example, out of ten companies surveyed, 6 reported an internal data breach but only 3 were covered by the media).
There will usually be incidents not disclosed, overstating or understating of numbers, and general inaccuracy of any reported over total or percentage. External attacks such as laptop theft or web exposure will usually be more high-profile and therefore more likely to be covered by the media, so that may skew the numbers depending on what data you analyze.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.