Shostack + Friends Blog Archive


Fines or Reporting?

Over at the Office of Inadequate Security, Dissent does excellent work digging into several perspectives on Discover Card breaches: Discover’s reports, and the (apparent) silence of breached entities.

I’m concerned that for many of the breaches they report, we have never seen breach reports filed by the entities themselves nor media reports on the incidents. For now, though, let’s start with what I found when I received one batch of their reports to NYS. Keep in mind as you read the summaries that we are only talking about the number of Discover card users affected by the incidents and for only two states. The numbers affected by each incident could be considerably higher, but since the entities themselves never filed breach reports with NYS or Maine, I have no additional information at this time. (“Staring into the abyss: how many breaches go unreported?“)

As much as I’d like to encourage security and punish failures, I’d like to first see us know how much is wrong so we can estimate progress over time.