"The Top 10 Data Breaches of 2007"

According to CSO Magazine.

Posted on December 18, 2007 at 12:30 PM • 23 Comments

Comments

aeschylusDecember 18, 2007 1:17 PM

Despite the fairly common misuse in this context, data is not "breached". Containers and boundaries are breached, not the contents delimited. You breach a vault, not the treasure inside.

John WDecember 18, 2007 1:34 PM

@aeschylus

I understand your point and agree with it generally. However, I think the reason breach is used is because the "treasure" inside, as you put it, is still there. They received a copy of it, but it is not lost to the owner, as a treasure in a breached safe would be.

I guess the best way to say it is the security was breached, the data was disclosed. But to just say "data breach" is well understood and I therefore have no problem with the terminology.

Best,
John

aeschylusDecember 18, 2007 2:05 PM

John W,

I agree it's understood, in the way a lot of bad writing is understood, but it makes attentive people cringe. As you suggest, "disclosure" is better in most cases. In others, the thing breached may be suitably modified, e.g. "data protection breaches". And "compromise" is still a fine word.

There is also a point at which using "breach", even correctly, misplaces credit. What breach occurs when unencrypted CDs are lost in the unsecured mail? There was no boundary to be violated--or if there was, it was the postal service's boundary, not HMRC's.

It would be nice to see some thought go into word choice where these matters are concerned. Writing about data security has been devolving further and further into meaningless jargon. The horror started with "identity theft", moved on to "spills" [shudder] and "data breaches", and then we have the Prince of Nonsense, "personally identifiable information"--what in the world does that mean?

Rob MayfieldDecember 18, 2007 2:57 PM

@John W:"I think the reason breach is used is because the "treasure" inside, as you put it, is still there. They received a copy of it, but it is not lost to the owner, as a treasure in a breached safe would be"

That assumes two things:
- they didn't destroy or corrupt/change the original copy of the information they took (and if they did change it, did the original owner realise?), and
- the stolen information is worth the same to the original owner once it is disclosed to what it was worth when it was secret.

Also, the damage isn't just directly related to addressing the exploit method, loss of brand credibility can potentially be a huge cost.

Hal O'BrienDecember 18, 2007 5:38 PM

I tried to leave a comment for the article.

Even though Last Name is a required field, it didn't allow the apostrophe.

So, basically, this article is written by a group of people who can't be bothered to program to 1980s standards. Sweet.

I'll admit it's a widely observed problem. That doesn't make it any less annoying for me.

Just Sayin'December 18, 2007 8:17 PM

@aeschylus

I wonder if your considerable grammatical talents aren't being wasted on us humble security folks.

Please consider posting your dissertations on grammar on a more grammar-focused forum, and consider discussing security topics here.

aeschylusDecember 18, 2007 9:56 PM

Just Sayin': "consider discussing security topics here."

How to write clearly about security is a security topic. In fact, if you review, you'll find Schneier himself comments occasionally on the language of security at times. See, for example:

http://www.schneier.com/blog/archives/2005/04/...

So, my friendly counter-suggestion is that you take the time to write about the security matters of interest to you, because I am quite interested in those.

sacundimDecember 18, 2007 11:26 PM

@ aeschylus: Please let's refrain from grammar Nazism. You're certainly no linguist.

The semantic relationship between the words in English noun-noun compounds isn't predictable from the way they're combined, and can be quite idiosyncratic. Faced with an example like "data breach," nothing about the grammar of English requires that to mean "a breach in which the thing that is breached is data." Any attempt to formulate generalizations that predict the meaning of arbitrary English noun-noun compounds from the meanings of the constituent nouns will fall very quickly to countless counterexamples.

Do you think that when somebody commits a traffic violation, they literally violate traffic? Or that when they receive an excellence award, they are awarded excellence?

sacundimDecember 18, 2007 11:30 PM

@ aeschylus: Or put another way, your proposed grammar rule is not a moral imperative that you get to impose on us. It's a hypothesis about the grammar of English, that's refuted by the very example that you're peeved about. The correct reaction when speakers of Standard English regularly violate what you think is a rule of English grammar isn't to conclude that the speakers are wrong; it's to conclude that your rule is not in fact a rule of Standard English grammar.

Fraud GuyDecember 19, 2007 12:16 AM

From the article:

"Priceless moments included TJX’s defense in press accounts that "our security was comparable to many other major retailers"

Having worked on PCI compliance, this is sadly true. The data protection requirements from the card associations were slated for 2002, and kept getting pushed back until the 2005 drop dead date, and even that was pushed back if you had a "plan".

VSDecember 19, 2007 3:32 AM

One thing we can all look forward to is that every year this list will get worse (or 'better' if you want big news on security mishaps).

In a few years time we can look forward to a top 10 list of companies that go out of business due to violations of information security.

Roll on 2008....

aeschylusDecember 19, 2007 3:33 AM

sacundim: "Do you think that when somebody commits a traffic violation, they literally violate traffic?"

"Traffic violation", as with many similar constructions, can be regarded either as elliptical (e.g. traffic-law violation, merited-by-excellence award), or a case where a noun has become a qualifier rather than the actor or patient--as with ellipsis, a transformation made for the speaker's convenience rather than out of grammatical principle. In such cases, yes, our knowledge of the world enables us to understand the speaker despite the literal meaning of his words, often simply because repetition has established the meaning idiomatically. That doesn't mean the speech is a good model, especially where a new jargon is being developed and the speaker may use existing language we readily comprehend, rather than attempting to establish new grammatical precedent through repetition of gobbledygook we manage to understand in spite of itself.

sacundim: "The correct reaction... "

That depends on a lot of things, including who the speaker is, the context, the regularity (this case is not yet regular by any means), and how jarring the speech is to the native ear. How does "treasure breach" sound to you? I find it hard to believe you think "data breach" is a much more natural-sounding phrase; minimally, it sets a new usage precedent for "data". I think this is a case where writers simply do not know the traditional use of the relatively uncommon word "breach", and therefore a case worthy of correction, although I imagine it's too late, what with all the apologists accusing people of being Nazis.

Or to put it another way, that prescription, i.e. the "correct" reaction, is not a moral imperative that you get to impose on us. Thank you, though, for the thoughtful, if graceless, response.

AnonymousDecember 19, 2007 5:12 AM

If "Data Breach" is incorrect, please tell us how the headline SHOULD have been worded.

Top Ten Security Breaches Involving Data, perhaps?

Top Ten Data-Related Security Breaches?

Top Ten Haxx0rages of Teh Data?

Top Ten Cyber-Heists?

Now we're ALL cringing.

Colossal SquidDecember 19, 2007 5:40 AM

@aeschylus: citations would be nice for your assertions.
Note: Strunk and White doesn't count.
@sacundim: please define 'Standard English.'

DanCDecember 19, 2007 6:42 AM

Semantics ARE important. That being said, I fell asleep last night looking at a section in Applied Cryptology and dreamed of a giant squid.

John WDecember 19, 2007 12:32 PM

@ Rob Mayfield: That assumes two things:
- they didn't destroy or corrupt/change the original copy of the information they took (and if they did change it, did the original owner realise?), and
- the stolen information is worth the same to the original owner once it is disclosed to what it was worth when it was secret.

Also, the damage isn't just directly related to addressing the exploit method, loss of brand credibility can potentially be a huge cost.
_________

Fair enough. For the most part, though, I think most those who obtain sensitive information want to go without detection as long as possible so they have more time to use it before the company and customers start taking action. But you're right, anyone of the things you mentioned could happen.

AlanDecember 19, 2007 12:50 PM

When the fad of putting USB drives in underwear becomes popular will we be seeing a "top 10 data britches" article here?

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..