Is It Time To End the Breaches Category?
Looking back to February of 2005, that companies routinely lose control of data entrusted to them was known mostly to security professionals and enthusiasts. Breaches were swept under the rug, and the scope and breadth of the problem was unknown. Thanks to Choicepoint’s dedication to bringing about public debate on the issue, the outstanding reporting of Bob Sullivan and others, and my unholy fascination with it, and Chris’s dedication in finding data, things have changed. This blog became an important source of information and analysis, and I’m very pleased to have contributed to the changes. The stories are now mainstream, and more broad. Things like “Payroll Giant [ADP] Gives Scammer Personal Data of Hundreds of Thousands of Investors” make ABC news. (Names and addresses, not SSNs.)
Academic researchers, not to mention the AARP, are using the breaches archive to get data for studies, and that’s both really cool and really scary. (For the AARP story, see Brian Krebs, “Study Analyzes 16 Months of Data Breaches.”) Chris and I should not be amongst the best data sources on a major emerging category of crimes. The FBI should be accumulating this, along with the National Crime Victimization Survey, and, you know, the guys at Attrition, and anyone else who wants to collect, and ideally, share their data.
It seems to me that the Dataloss list and database are now my primary source for breach data, and that causes me to ask, is it still worth having the roundups of breaches? I’d love reader feedback before I make a final decision.
Lastly, when it comes to pithy analysis, Anton Chuvakin pointed to “Hacking Still can’t outdo stupidity for data leaks.” Good to know!
Photo by Andres Colmenares.