Shostack + Friends Blog Archive

 

It’s not all about "identity theft"

handshake.jpgThere’s a fascinating conversation going on between Chris and Andy Steingruebl in the comments to Data on Data Breaches. In it, Chris writes:

If what we care about is reducing ID theft, then maybe all this effort about analyzing breach reports is a sideshow, since for all we know 80% of the revealed PII never gets detected as having been revealed.

Data breaches are not meaningful because of identity theft.

They are about honesty about a commitment that an organization has made while collecting data, and a failure to meet that commitment. They’re about people’s privacy, as the Astroglide and Victoria’s Secret cases make clear.

We shouldn’t allow the discussion to center on ID theft. It should center around the meeting of the minds, and the exchange of value.

That was my point of my privacy enhancing technologies talk: that we’ve got to look at these things as privacy issues, not just security issues.

Photo: “Handshake through TFT screen,” by Henkster on Stockxprt.com.

Originally published by adam on 30 Jun 2007
Last modified on 19 Jul 2017
Categories:   breach analysis  

5 comments on "It’s not all about "identity theft""

  • Dissent says:
    30 Jun 2007 at 4:59 pm

    ** stands up and applauds **

  • Alex says:
    30 Jun 2007 at 8:06 pm

    “80% of the revealed PII never gets detected as having been revealed.”
    Do we know what % of revealed PII is used in crime?

  • Andy Steingruebl says:
    30 Jun 2007 at 10:30 pm

    Well said. Its easy to forget this when we’re faced with a regulatory regime that focuses solely on the possibility of identity theft. I wrote a little piece to further back this up – http://securityretentive.blogspot.com/2007/06/data-breaches-and-privacy-violations.html

  • Andy Steingruebl says:
    30 Jun 2007 at 10:39 pm

    Ok, the last URL I posted has an extra trailing period on it and doesn’t work. Sorry about that. Perhaps *someone* can fix it? I made the same mistake in my comment on Chris’ original item.

  • Chris says:
    1 Jul 2007 at 2:47 pm

    @Alex:
    ID Analytics did some work with a purposive sample (i.e., non-random but intended to be representative) and claim that the probability of ID theft within (IIRC) 12 months of a breach is no more than 1 in 1000.
    Until there is more transparency into how they track the ID elements, I’d use this as “suggestive” and maybe give or take an order of magnitude. Since they have now productized this tracking capability, they probably have more information, but I haven’t seen any more white papers from them.
    @Andy — I fixed your URLs.

Comments are closed.