Shostack + Friends Blog Archive


Is 2,100 breaches of security a lot?


There’s a story in the Yorkshire Post, “2,111 data disasters blamed on disc row bunglers.” At first blush, that’s an awful lot of errors:

THE bungling Government department responsible for losing 25 million people’s personal details in the post was hit by more than 2,100 reported breaches of security in the past year alone.

And 41 laptops – many containing sensitive financial details relating to members of the public – were stolen from employees at HM Revenue and Customs (HMRC) over the last 12 months, demolishing any notion that the loss of two computer discs containing the details of child benefit claimant was a “one-off” error.

There’s a scene in one of the Star Trek movies that’s stuck with me. Captain Kirk is walking around San Francisco and needs some cash. He goes into a pawn shop to sell his glasses, and the guy offers him a hundred bucks. Kirk looks at him and says “Is that a lot?” He doesn’t have the context to understand the number that he’s been given.

When I hear that HMRC has had 2,100 breaches reported, I’m forced to ask, “is that a lot?”

To put the number in context, we need three things:

  • What is a breach? Does it include, for example, leaving your screen unlocked when you go to the restroom? We can’t understand what 2,100 breaches mean without knowing what is being counted.
  • How big is the department? If it’s 10 people, then that’s a breach a day. If it’s 2,100 people, then it’s a breach a year. (As an indicator, page 7 of the HMRC 2007 departmental report indicates that their IT department supports 110,000 workstations and 120,000 mailboxes.) So it seems that they’re at about 1 “breach” per 50 employees per year.
  • How does this compare to other organizations? Do other departments of Her Majesty’s government breach at the same rate? That seems lower than the US Government reported rate of one per hour, but actually, 2,100 breaches is about one per hour per business day for HMRC. So does HMRC leak at the same rate as all of the US government, or are we seeing different definitions of breaches?

This is clearly a bad breach, a meaningful one for the UK, and it will influence what emerges from the many discussions around breaches, breach disclosure and computer security.

To me the most important lesson is that we’re unable to say if this is one of the worst breaches, or simply one one of many bad ones. Like Captain Kirk, we don’t have the context to understand the number.

Credits: Yorkshire Post story via Pogo Was Right. Image: “Forest and Sky,” showing comet Holmes shining a bit more brightly than the many stars. Photo by Vincent Jacques, via Astronomy Picture of the Day, and begging the question: is this a comet, or a star?

2 comments on "Is 2,100 breaches of security a lot?"

  • Chris says:

    Maybe a bit of comparison would be the 4000 breaches — whatever that means — that the US executive branch reported from mid-2006 to mid-2007.
    If the HMRC has a computer-using headcount of 110K, then it is about 1/20th the size of the U.S. federal executive branch ( If we ASSume that half the Feds (1.2×10^6) have a computer, then going by the count of 4,000 breaches I wrote about in an earlier post the UK is leaking data at a rate five times greater than that of the U.S. (which weighs in at one breach per 570 employees per year).
    If we make what I think is a fair assumption – British and American bureaucrats are roughly equally (in)competent – then this means that we don’t even know *to an order of magnitude* what the breach incidence is. It may be time for uniform reporting criteria, if only to preserve the remnants of my sanity :^)

Comments are closed.