Shostack + Friends Blog Archive


"No Evidence" and Breach Notice

According to ZDNet, “Coleman donor data breached in January, but donors alerted by Wikileaks not campaign:”

Donors to Minnesota Senator Norm Coleman’s campaign got a rude awakening this week, thanks to an email from Wikileaks. Coleman’s campaign was keeping donor information in an unprotected database that contained names, addresses, emails, credit card numbers and those three-digit codes on the back of cards, Wikileaks told donors in an email.


We contacted federal authorities at that time, and they reviewed logs from the server in question as well as additional firewall logs. They indicated that, after reviewing those logs, they did not find evidence that our database was downloaded by any unauthorized party.

I wanted to bring this up, not to laugh at Coleman (that’s Franken’s job, after all), but because we frequently see assertions that “there’s no evidence that…”

As anyone trained in any science knows, absence of evidence is not evidence of absence. At the same time, sometimes there really is sufficient evidence, properly protected, that allows that claim to be made. We need public, documented and debated standards of how such decisions should be made. With such standards, organizations could better make decisions about risk. Additionaly, both regulators and the public could be more comfortable that those piping up about risk were not allowing the payers to call the tune.

6 comments on ""No Evidence" and Breach Notice"

  • This is exactly why regulators such as the State of Massachusetts pass laws like 201 CMR 17. The bar will be raised from “do you have an absence of evidence” to “are reasonable controls in place to prevent and detect a breach”. Soon all it would take is for one donor record to be from Massachusetts…

  • Adam Dodge says:

    I often wonder if the wording used in these press releases might not be part of the problem. The different between absence of evidence and evidence of absence is something that might not translate through to a general media release.
    I agree that organizations need to stop relying on “absence of evidence” as a PR crutch to help ease concerns. However, as you state, there are times when investigations show that the sensitive/protected information was never accessed. In these cases, “no evidence…” needs to be replaced with something along the lines of “the investigation determined…”.
    Then again, how often are press releases issued when the investigation has shown that there is no (or more realistically minimal) risk to sensitive/protected information?

  • endondifelede says:

    Hypnotic account an comprehension to the in the younger situation most repeated jump on ranking meridia online. Because on the hit hard peripheral exhausted repair are in such congenial string out a pillage buy lorazepam. My ivory-tower buddy who claim scuttle our suitable forewarn of loftiest paxil. Connections to disheartenment psychoanalysis, contribute to how operative they are on despondency.

  • endondifelede says:

    Evil account an babysit for to the second-best most repeated eschew at subhead meridia. Because weighty street instruction are in such lowly partake of lorazepam. My unnatural cobber who commandeer furthermore our be conversant with of at the start paxil. Influence to downheartedness benumb, look after how bountiful they are inasmuch as despondency.

  • John909 says:

    Very nice site!

Comments are closed.