Shostack + Friends Blog Archive


Security Lessons from

There’s a great “long read” at CIO, “6 Software Development Lessons From’s Failed Launch.” It opens: This article tries to go further than the typical coverage of The amazing thing about this story isn’t the failure. That was fairly obvious. No, the strange thing is the manner in which often conflicting information is […]


What Happened At OPM?

I want to discuss some elements of the OPM breach and what we know and what we don’t. Before I do, I want to acknowledge the tremendous and justified distress that those who’ve filled out the SF-86 form are experiencing. I also want to acknowledge the tremendous concern that those who employ those with clearances […]


California gets a strengthened Breach Notification Law

Governor Brown of California has signed a strengthened breach notification bill, which amends Sections 1798.29 and 1798.82 of the California Civil Code in important ways. Previous versions had been repeatedly vetoed by Arnold Schwarzenegger. As described[.DOC] by its sponsor’s office, this law: Establishes standard, core content — such as the type of information breached, time […]


J.C. Penny knew best

JC Penney, Wet Seal: Gonzalez Mystery Merchants JCPenney and Wet Seal were both officially added to the list of retail victims of Albert Gonzalez on Friday (March 26) when U.S. District Court Judge Douglas P. Woodlock refused to continue their cloak of secrecy and removed the seal from their names. StorefrontBacktalk had reported last August […]


Biggest Breach Ever

Precision blogging gets the scoop: You’re probably talking about this terrible security disaster already: the largest database leak ever. Arweena, a spokes-elf for Santa Claus, admitted a few hours ago that the database posted at WikiLeaks yesterday is indeed the comprehensive 2009 list of which kids have been naughty, and which were nice. The source […]


Connecticut Attorney General On The March

It’s been a bad couple of weeks for residents of Connecticut and their personal health information. First Blue Cross Blue Shield had a laptop stolen with enough PHI that over 800K doctors were notified that their patients were at risk, including almost 19K in Connecticut. Connecticut’s attorney general said Monday that he’s investigating insurer Blue […]


New on SSRN

There’s new papers by two law professors whose work I enjoy. I haven’t finished the first or started the second, but I figured I’d post pointers, so you’ll have something to read as we here at the Combo improvise around Cage’s 2:33. Paul Ohm has written “Broken Promises of Privacy: Responding to the Surprising Failure […]


Social Security Numbers are Worthless as Authenticators

The nation’s Social Security numbering system has left millions of citizens vulnerable to privacy breaches, according to researchers at Carnegie Mellon University, who for the first time have used statistical techniques to predict Social Security numbers solely from an individual’s date and location of birth. The findings, published Monday in The Proceedings of the National […]


The Punch Line Goes at the End

The Black Hat conference in Las Vegas always has its share of drama. This year, it’s happened a month before the conference opens. The researcher Barnaby Jack had to cancel his talk. gives an account of this; his talk was to make an Automated Teller Machine spit out a “jackpot” of cash, in the […]


"No Evidence" and Breach Notice

According to ZDNet, “Coleman donor data breached in January, but donors alerted by Wikileaks not campaign:” Donors to Minnesota Senator Norm Coleman’s campaign got a rude awakening this week, thanks to an email from Wikileaks. Coleman’s campaign was keeping donor information in an unprotected database that contained names, addresses, emails, credit card numbers and those […]


More breach visualization

I received some excellent comments on my previous breach visualization post, which I wanted to highlight for EC readers and take a stab at addressing.


Breach Visualization

I took the latest breach database and extracted all breaches involving a third party, omitting all columns other than the reporting entity and the third party. I then ran the resulting two-column CSV file through afterglow, and finally made pretty (3MB) picture with graphviz. This was done more for fun than for insight, but […]


Breaches Conference audio online

Back in March, the Berkeley Center for Law and Technology put on a great conference, the “Security Breach Notification Symposium.” It was a fascinating day, and the audio is now online.


Mo-mentum on centralized breach reporting?

A Missouri state bill requiring notification of the state attorney general as well as of individuals whose records have been exposed just took a step closer to becoming law. As reported in the St. Louis Business Journal on April 1: Missouri businesses would be required to notify consumers when their personal or financial information is […]


Happy Sunshine Week

March 15-21 is “Sunshine Week“, a government transparency initiative described by its main proponents as a national initiative to open a dialogue about the importance of open government and freedom of information. Participants include print, broadcast and online news media, civic groups, libraries, non-profits, schools and others interested in the public’s right to know. The […]


"No Evidence" and Breach Notice

According to ZDNet, “Coleman donor data breached in January, but donors alerted by Wikileaks not campaign:” Donors to Minnesota Senator Norm Coleman’s campaign got a rude awakening this week, thanks to an email from Wikileaks. Coleman’s campaign was keeping donor information in an unprotected database that contained names, addresses, emails, credit card numbers and those […]


The Lastest Big Processor Breach

So it’s now roughly confirmed, except for a few denials from Visa. First there was CardSystems, then Heartland, and maybe there’s at least one more known-to-some criminal breach at a payments processor. A lot of security bloggers have been talking about this, but I figure another day, another breach. Can’t we just get some facts? […]


Javelin ID theft survey

Salon reports “Identity theft up, but costs fall sharply:” In 2008, the number of identity theft cases jumped 22 percent to 9.9 million, according to a study released Monday by Javelin Strategy & Research. The good news is that the cost per incident — including unrecovered losses and legal fees — fell 31 percent to […]


$450 per account? No.

So there’s a claim going around, which is that I believe that a breach costs $450 per account. That claim is not accurate. What was said (and the interview was in email, so I can quote exactly): (Interviewer) The Hannaford breach resulted in more than $318,000 in gross fraud losses, according to data reported by […]


Public Perception of Security

So the US Consulate in Jerusalem sold a file cabinet full of secret documents. What I found interesting about the story is the perception of the finder: Hundreds of files — with social security numbers, bank account numbers and other sensitive U.S. government information — were found in a filing cabinet purchased from the U.S. […]


First Impressions of the 2008 Ponemon Report

So the 2008 Ponemon breach survey is out and I’m reading through it, but I wanted to expand on the headline: “Ponemon Study Shows Data Breach Costs Continue to Rise.” This is the report’s figure 3: Left to right, those are “detection and escalation,” notification, “ex-post response” and “lost business.” I note that 2 fell, […]


A few Heartland links

Well, Mordaxus got the story, but I’ll add some links I found interesting or relevant. StoreFront BackTalk has From The Heartland Breach To Second Guessing Service Providers. Dave G at Matasano added “Heartland’s PCI certification.” The Emergent Chaos time travel team already covered that angle in “Massachusetts Analyzes its Breach Reports:” What’s exciting about this […]


Breach Misdirection

While we were all paying attention to the Inauguration and having merry debates about how many Justices can deliver the Oath of Office on a pin, what may be the biggest breach ever tried to tiptoe past. Heartland Payment Systems may have lost 100 million credit card details, surpassing the 94 million that was lost […]


Massachusetts Analyzes its Breach Reports

In “Report On The M.G.L. Chapter 93H Notifications,” the Office of Consumer Affairs analyzes the breach notices which have come in. The report is a lot shorter than the “Maine Breach Study,” coming in at a mere four pages. There are many interesting bits in those four pages, but the two that really jumped out […]


ITRC Year End Report for 2008

The Identity Theft Resource Center (ITRC) released their year-end breach report: Reports of data breaches increased dramatically in 2008. The Identity Theft Resource Center’s 2008 breach report reached 656 reported breaches at the end of 2008, reflecting an increase of 47% over last year’s total of 446. Dissent of PogoWasRight has some analysis. I’ll take […]


Evidence of Time Travel Found in China

According to Ananova, a Swiss watch-ring has been found covered in dirt in a four-hundred year old Ming dynasty tomb. The watch was found, covered in dirt. It was stopped at the time 10:06 and has the word, “Swiss” engraved on the back. The archaeologists on the dig have requested archaeologists from Beijing to help […]


Do Security Breaches Cost Customers?

Adam Dodge, building on research by Ponemon and Debix, says “Breaches Cost Companies Customers,” and Alan Shimel dissents in “Do data breaches really cost companies customers?” Me, I think it’s time we get deeper into what this means. First, the customers. Should they abandon a relationship because the organization has a security problem? To answer […]


DataLossDB announces awesome new feature

The Data Loss Database, run by the Open Security Foundation, now has a significant new feature: the inclusion of scanned primary source documents. This means that in addition to being able to determine “the numbers” on an incident, one can also see the exact notification letter used, the reporting form submitted to state government, cover […]


"No evidence the data was misused"

The next time you read a statement that a breached entity has found no evidence of data misuse, remember this: data may have been misused even though entities are unaware of it. Tim Wilson of Dark Reading provides a current example of why entities should inform customers, this one involving the T-Mobile breach that affected […]


Researchers Two-Faced over Facebook Data Release

[Update: Michael Zimmer points out that it wasn’t Facebook, but outside researchers who released the data.] I wanted to comment quickly on an interesting post by Michael Zimmer, “ On the “Anonymity” of the Facebook Dataset.” He discusses how A group of researchers have released a dataset of Facebook profile information from a group of […]


2008 Breaches: More or More Reporting?

Dissent has some good coverage of an announcement from the ID Theft Resource Center, “ITRC: Breaches Blast ’07 Record:” With slightly more than four months left to go for 2008, the Identity Theft Resource Center (ITRC) has sent out a press release saying that it has already compiled 449 breaches– more than its total for […]


That's an address I haven't used in a very long time.

Well, I got a letter from BNY Mellon, explaining that they lost my data. The most interesting thing about it, I think, is where it was sent, which is to my mom. (Hi Mom!) I had thought that I’d moved all of my financial statements to an address of my own more than a decade […]


Cleared Traveler Data Lost

Verified Identity Pass, Inc., who run the Clear service have lost a laptop containing information of 33,000 customers. According to KPIX in “Laptop Discovery May End SFO Security Scare” the “alleged theft of the unencrypted laptop” lost information including names, addresses, birth dates and some applicants’ driver’s license numbers and passport information, but does not […]


Breaches & Human Rights in Finland

The European Court of Human Rights has ordered the Finnish government to pay out €34,000 because it failed to protect a citizen’s personal data. One data protection expert said that the case creates a vital link between data security and human rights. The Court made its ruling based on Article 8 of the European Convention […]


Breach notice primary sources

Today on the Dataloss mailing list, a contributor asked whether states in addition to New Hampshire and Maryland make breach notification letters available on-line. I responded thusly (links added for this blog post): I know only of NH and MD. NY and NC have been asked to do it, but have no plans to. NJ […]


Maryland Breach Notices

Case Number Date Received Business Name No. of MD residents Total breach size Information breached How breach occurred 153504 06/09/08 Argosy University name, social security number, addresses Laptop computer stolen from employee of SunGard Higher Education Maryland Information Security Breach Notices are put online by the most-forward looking Douglas F. Gansler, attorney general. I’m glad […]


Passport-peeking probably pervasive

Back in March, we wrote about unauthorized access to Barack Obama’s passport file. At the time, a Washington Post article quoted a State Department spokesman: “The State Department has strict policies and controls on access to passport records by government and contract employees” The idea was that, while snooping might occur, it would be caught […]


Iowa breach law arrives a bit early

On May 10, Iowa became the 42nd U.S. state (counting D.C. as a state) with a breach notification law. The law itself is not remarkable. If anything, it is notably weaker than many other states’ laws. When can we expect to see the last stragglers finally pass their laws? Here’s a plot of each state’s […]


Can You Hear Me Now?

Debix, Verizon, the ID Theft Research Center and the Department of Justice have all released really interesting reports in the last few days, and what makes them interesting is their data about what’s going wrong in security. This is new. We don’t have equivalents of the National Crime Victimization Surveys for cyberspace. We don’t have […]


Department of Justice on breach notice

There’s an important new report out from the Department of Justice, “Data Breaches: What the Underground World of “Carding” Reveals.” It’s an analysis of several cases and the trends in carding and the markets which exist. I want to focus in on one area, which is recommendations around breach notification: Several bills now before Congress […]


Paper Breach

The BBC reports in “Secret terror files left on train” that an … unnamed Cabinet Office employee apparently breached strict security rules when he left the papers on the seat of a train. A fellow passenger spotted the envelope containing the files and gave it to the BBC, who handed them to the police. We […]


CSO’s FUD Watch

“Introducing FUD Watch:” Most mornings, I start the work day with an inbox full of emails from security vendors or their PR reps about some new malware attack, software flaw or data breach. After some digging, about half turn out to be legitimate issues while the rest – usually the most alarming in tone – […]


Does the UK need a breach notice law?

Chris Pounder has an article on the subject: In summary, most of the important features of USA-style, security breach notification law are now embedded into the guiding Principles of the Data Protection Act. Organisations risk being fined if they carelessly loose personal data or fail to encrypt personal data when they should have done. Individuals […]


Please read more carefully.

A paper by Sasha Romanosky, Rahul Telang, and Alessandro Acquisti to be presented at the upcoming WEIS workshop examines the impact of breach disclosure laws on identity theft. The authors find no statistically [significant] evidence that laws reduce identity theft, even after considering income, urbanization, strictness of law and interstate commerce The folks at Bank […]


"The Black Hat Tax?" Show me the money

A number of people have sent me links to “Black Hat Tariffs – The Black Hat Taxes on consumer Internet companies are on the rise:” In May 2006, I made mention of the Black Hat Tax, in which most consumer Internet sites have an inherent time, resource, and mindshare tax of roughly 25% due to […]


The Difference Between Knowledge and Wisdom

If you haven’t heard about this, you need to. All Debian-based Linux systems, including Ubuntu, have a horrible problem in their crypto. This is so important that if you have a Debian-based system, stop reading this and go fix it, then come back to finish reading. In fact, unless you know you’re safe, I’d take […]


6/16ths of Chileans personal information leaked by hacker

A hacker in Chile calling himself the ‘Anonymous Coward’ published confidential data belonging to six million people on the internet. Authorities are investigating the theft of the leaked data, which includes identity card numbers, addresses, telephone numbers, emails and academic records. Chile has a population of about 16 million, so that’s 3/8ths of the country. […]


Call me crazy?

There’s an article in the New York Times, “‘Mad Pride’ Fights a Stigma” “It used to be you were labeled with your diagnosis and that was it; you were marginalized,” said Molly Sprengelmeyer, an organizer for the Asheville Radical Mental Health Collective, a mad pride group in North Carolina. “If people found out, it was […]


A question of ethics

Various estimates have been made regarding the quantity of personal identifying information which has been exposed by various mechanisms. Obviously, though, we only know about what we can see, so seeing more would make such estimates better. One way to see more would be to look in more places, for example on peer-to-peer file sharing […]


Italy Posts Tax Return Data on Official Website

How much do you make? How surprised would you be to learn that your magic number had been posted on the Internet by the government? And that it was not by mistake, as in other recent breaches of privacy. How Much Do You Make? The Nation Already Knows. The data has already been removed from […]


The messenger is the message

In a blog post entitled “Lending Tree A Little Late In Cutting Off Network Access?“, I read that in the recent Lending Tree breach: several former employees may have helped a handful of mortgage lenders gain access to Lending Tree’s customer information by sharing confidential passwords with the lenders. Later, the author describes “an obvious […]


University of Miami: Good for the body, bad for the soul?

The University of Miami has chosen to notify 41,000 out of 2.1 million patients whose personal information was exposed when thieves stole backup tapes. The other 2.1 million people, apparently, should be reassured, that their personal medical data was stolen, but the University feels it would be hard to read, and well, there’s no financial […]


Microsoft Security Intelligence Report V4

Microsoft Security Intelligence Report (July – December 2007) This volume of the SIR focuses on the second half of the 2007 calendar year (from July through December) and builds upon the data published in the previously released volumes of the SIR. Using data derived from several hundred million Windows users, and some of the busiest […]


Virginia gets it

[…]an individual or entity that owns or licenses computerized data that includes personal information shall disclose any breach of the security of the system following discovery or notification of the breach of the security of the system to the Office of the Attorney General and any affected resident of the Commonwealth without unreasonable delay. Virginia’s […]


41 and counting

Virginia, West Virginia, and South Carolina are the latest states to pass data breach notification laws, bringing to 42 the total number of states with such laws on the books (including the one state with a law that applies only to public entities, Oklahoma) See More Breach Notification Laws — 42 States and Counting at […]


The FDIC's Cyber Fraud Report

The FDIC’s Division of Supervision and Consumer Protection didn’t release a report titled “Cyber Fraud and Financial Crime” on November 9, 2007. That release was left to Brian Krebs, a reporter with the Washington Post, in early March, who blogged about it in “Banks: Losses From Computer Intrusions Up in 2007” and “The FDIC Computer […]


94% of Philippine IT Professionals Endorse Breach Disclosure

“LOCAL SURVEY SHOWS: Private sector wants breach of information systems reported :” MANILA, Philippines — Local organizations want the breach of information systems and theft of personal information reported, a survey conducted by the Cyberspace Policy Center for Asia Pacific (CPCAP) showed. “A surprising 94 percent favored the imposition by law of [an] obligation upon […]


I see you stand like greyhounds in the slips…

…straining upon the start. The game’s afoot! Follow your spirit; and upon this charge Cry ‘God for Harry, England, and Saint George!’ So closes the speech before battle which Shakespeare wrote for Henry V. You know, the one which opens, ““Once more into the breach:” (Thoughts on the cumulative effects of notification letters).” I seem […]


A Crime That Flourishes Because Victims Remain Silent

There’s a fascinating article in the New York Times, “Report Sketches Crime Costing Billions: Theft From Charities.” “I gave a talk to a group of nonprofit executives a few weeks ago, and every single one of them had a fraud story to tell,” said one of the report’s authors, Janet S. Greenlee, an associate professor […]


Reporting on Data Breaches: US and Great Britain

Is the recent wave of reporting on British data breaches similar to what we’ve been seeing in the US? A couple of things seem true: the US has way more reported breaches per capita, but both locations have seen greatly accelerated reporting. Here’s a plot of all US (Country = ‘US’) and British (Country = […]


Are We Measuring the Right Things?

One of the reasons that airline passengers sit on the tarmac for hours before takeoff is how the FAA Department of Transportation measures “on time departures.” The on time departure is measured by push-back from the gate, not wheels leaving the tarmac. (Airlines argue that the former is in their control.) If you measure the […]


You Can't Say That: Blogging Your Failures

I forgot exactly where I saw the link to Ben Neumann’s Views from the Trenches, but the opening lines of his post “Network Outage” are great, doubly for what he’s just gone through: Today was a NIGHTMARE-DAY! just emerged from a major outage – the worst in company history and everybody – customers and […]


Analyzing the Analysts

In Things Are Looking Up For TJX, or, Javelin Research – Credibility Issues?, Alex takes a look at research released by Javelin, and compares it to some SEC filings. Javelin is making the argument that companies that suffer massive breaches will lose market share. As do these folks at Response Source: “LATEST NATIONAL RESEARCH REVEALS […]


I've Made Up My Mind, Don't Bother Me With the Facts

The report, Educational Security Incidents (ESI) Year in Review, spotlights institutions worldwide, and Penn State was included in the report with one data breach last year. … “My goal with ESI is to, hopefully, increase awareness within higher education that not only is information security a concern, but that the threats to college and university […]


US Banks Rated for Identity Theft

Chris Hoofnagle has completed a paper which ranks US financial institutions according to their relative incidence of ID theft, based on reports to the FTC by consumers who named an institution. Chris (like another Chris I know) would like to see more complete information on ID theft available to consumers, so they can make informed […]


Where's the Beef?

As I was driving home, listening to the radio, I heard this: We’ve been really astonished by how some of the most high-profile situations actually resulted in increased consumer confidence, because sometimes high-profile issues give us an opportunity to talk about what we do, and that has actually encouraged consumers. No, it’s not a TJX […]


By their fruits, ye shall know them

We’ve made frequent calls here at EC for improved breach breach reporting. In particular, we’ve said that governments (be they state, provincial, national, whatever) should provide standardized reporting forms, should collect a basic set of facts in each report, should require precision in reporting rather than accepting weasel-words, and should mandate centralized reporting, so that […]


Breach Laws Charts (updated)

A while back, I posted a list of breach laws. I’ve now added the CSO map, which is pretty cool. Scott and Scott, one page reference chart Perkins, Coie summary of laws Proskauer Rose listing of laws (Updated 1 December 2007) Julie Brill, Assistant Attorney General, Vermont (not online). CSO Magazine has an interactive chart […]


The UK Driver's License Applicants Breach and Laws

Dark Reading reported that “Data on 3M UK Drivers ‘Lost in Iowa’.” “In May this year, Pearson Driving Assessments Ltd, a private contractor to the Driving Standards Agency, informed the agency that a hard disk drive had gone missing from its secure facility in Iowa City, Iowa,” Kelly said. “The hard disk drive contained the […]


How taxing is it to read a tape?

In “Athenian Economy and Society: a banking perspective,” Edward Cohen uses the fascinating technique of trusting in offhand comments. He uses the technique to analyze court records to reconstruct banking. You might not be able to trust the main testimony in a trial, but no one will offhandedly say something shocking and strange, because it […]


Reporting on breaches

It started with Mark Jewell of the AP, “Groups: Record data breaches in 2007.” Dissent responded to that in “Looking at 2007’s data breaches in perspective:” The following table depicts the number of U.S. incidents reported and the corresponding number of records reported expose by the three main sites that track such data:, the […]


Risk Assessment is Hard

The BBC reports (TV personality) “Clarkson stung after bank prank” in which he published his bank account numbers in the newspaper: The Top Gear host revealed his account numbers after rubbishing the furore over the loss of 25 million people’s personal details on two computer discs. He wanted to prove the story was a fuss […]


The Laboratories of Democracy in Action

Chris emailed me a bit before Christmas with a link to the new “New York State Security Breach Reporting Form.” How could we withhold this exciting news? I wanted to wait until people were back from vacation, so they didn’t miss it. The form is important because it’s starting to ask for more data. There’s […]


Send data leakers to jail? Heck, no!

In “Data breach officials could be sent to the big house,” we learn: In his update on the HMRC data loss to MPs yesterday, Alistair Darling said: “There will now also be new sanctions under the Data Protection Act for the most serious breaches of its principles. “These will take account of the need not […]


New breach blog

Evan Francen is maintaining a breach blog with more structure and commentary than either PogoWasRight or Attrition. As I looked at it, I had a couple of thoughts. The first is that he doesn’t reference Attrition DLDOS numbers. (Then again, Pogo doesn’t either.) I think this is a mistake. When we founded CVE, it was […]


Evan Schuman: TJX gets the BB gun

Not much naughtier than other retailers: I’d say yes to coal for most of the major retailers for dropping the ball on security. Bigger chunks of coal need to go to state legislators and the U.S. House and Senate for failing to pass any laws protecting consumer data (although Minnesota got quite close). But to […]


Six breach reports in the UK: the floodgates are open

In Dissent’s weekly roundup of breaches, there were six breaches reported for the UK, versus nine in the US. It seems that the duty of care approach is really taking off. Newly reported incidents in the U.K. and Ireland: In Ireland, the Driver and Vehicle Licensing Agency has lost the personal details of 6,000 people. […]


Transparency lessons from the NFL

I think the NFL’s handling of spying by the New England Patriots is poor. Of course, I expect retrograde, authoritarian, clumsy behavior from the NFL, and I haven’t been disappointed in the few decades I’ve been paying attention. The New York Times covered this issue (the spying, not the decades). In their December 16 article, […]


Deloitte & Touche, Ponemon Study on Breaches

According to Dark Reading, “Study: Breaches of Personal Data Now Prevalent in Enterprises:” According to a study released yesterday by the Ponemon Institute and Deloitte & Touche, 85 percent of the security or privacy executive surveyed — some 800 individuals — claimed at least one reportable security incident in the past 12 months. Sixty-three percent […]


Data Thefts Triple This Year?

So says USA Today, in “Theft of personal data more than triples this year.” A few small quibbles: I’d prefer if Byron Acohido had said “reported” thefts It’s not clear if thefts or reports tripled. I suspect the reports, but proving that would be tough. Both of those things said, it’s a good article, and […]


Thoughts on "Internet Miscreants"

I’ve been thinking about Franklin, Perrig, Paxson, and Savage’s “An Inquiry into the Nature and Causes of the Wealth of Internet Miscreants” for about three weeks now. This is a very good paper. For the infosec empiricist, the dataset itself is noteworthy. It consists of 13 million public IRC messages (that is, in-channel stuff, not […]


Gartner the omniscient

This in reference to the recent HMRC breach… However, [Gartner VP Avivah] Litan warned that the chance of identity theft was actually small, at just 1%. The probability of this estimate being scientifically defensible is 0.00%. I’ll have something to say about learning (for real) from the HMRC breach in a soon-to-come post.


Biometrics are not a panacea for data loss

Ian Brown writes, “Biometrics are not a panacea for data loss:” “What we must ensure is that identity fraud is avoided, and the way to avoid identity fraud is to say that for passport information we will have the biometric support that is necessary, so that people can feel confident that their identity is protected.” […]


Japanese Breach Disclosure Law

I believe that I follow breach notification pretty closely. So I was surprised to learn that I had missed the passage of a law in Japan. Bird & Bird, Notification of data security breaches explains: In Japan, the Personal Information Protection Act (Law No. 57 of 2003; chapters 1 to 3 effective May 30 2003 […]


Is 2,100 breaches of security a lot?

There’s a story in the Yorkshire Post, “2,111 data disasters blamed on disc row bunglers.” At first blush, that’s an awful lot of errors: THE bungling Government department responsible for losing 25 million people’s personal details in the post was hit by more than 2,100 reported breaches of security in the past year alone. And […]


A quick comment on the UK lapse

Thanks to all the readers who have written to tell me about the HM Revenue and Customs breach in the UK. I’m on vacation at the moment, and haven’t had a chance to read in depth. However, example stories include the BBC’s “Pressure on Darling over records:” Alistair Darling has apologised for the “extremely serious […]


How Government Can Improve Cyber-Security

In “How Can Government Improve Cyber-Security?” Ed Felten says: Wednesday was the kickoff meeting of the Commission on Cyber Security for the 44th Presidency, of which I am a member. The commissionhas thirty-four members and has four co-chairs: Congressmen Jim Langevin and Michael McCaul, Admiral Bobby Inman, and Scott Charney. It was organized by the […]


"A duty of care" to notify?

Some people have objected to my repeated claims that a new normal is emerging. Those people don’t include Her Majesty’s Revenue and Customs, who, after losing a disk in the mail, said: “There was a thorough search for the item, which went missing at the end of September, but it has not been found. We […]


Informed discussion? Cool!

David Litchfield examines some public breach data and concludes that Word documents and spreadsheets mistakenly left on a web server or indexed by a search engine account for 20.6% of the 276 breaches, both physical and digital, recorded up to the 23rd of October. He further surmises that the proportion may be even higher, since […]


Breach reporting rates

Adam’s comment to my previous post prompted me to think about breach reporting rates again. Above, there’s a slide (click for a larger image) from the presentation I delivered at FIRST 2007. It shows the breach reporting rate for different time periods, from different sources. I think the results are pretty interesting when combined with […]


15-30 dataloss incidents daily, sez top Fed cyber-beancounter

The Office of Management and Budget issued a memo in July 2006 requiring agencies to report security incidents that expose personally identifiable information to the U.S. Computer Emergency Readiness Team within one hour of the incident. By June 2007, 40 agencies reported almost 4,000 incidents, an average of about 14 per day. As of this […]


Emergent Breach Analysis

When I started blogging about breaches and breach notices way back in early 2005, a number of friends wrote to say I was sounding like a broken record. They were right, and at the same time, I felt there was something really big going on, and I wanted to push it and shape it. Over […]


Beer For a Laptop

A New Zealand company is offering a lifetime supply of beer if someone gives them their lost laptop. See the BBC, “NZ brewery offers beer for laptop.” Thanks to Phillip Hallam-Baker for the pointer. We are indeed happy, and would analyze the clever marketing, ROI on investment, and emergent chaos of the barter system, but […]


Should Email Address Breaches Be Notification-Worthy?

Brian Krebs raises the issue in his column in the Washington Post, “Should E-Mail Addresses Be Considered Private Data?” The question raises some fascinating economics questions and a possibly unique opportunity for interesting information security signals: A database of e-mail addresses and other contact information stolen from business software provider is being used in […]


Visa says TJX Impacted 94 million accounts, $68MM+ in fraud

“Although TJX suggests that the breach only affected approximately 45.7 million accounts, in fact the breach during a period of 17 months affected more than 94 million separate accounts. To date, Visa has calculated the fraud losses experienced by issuers as a result of the breach to be between $68 million and $83 million on […]


With p=.7, Breach Costs Will Fall by 2009

There’s an article over on Tekrati, “Cost of a sensitive data breach will increase 20 percent per year through 2009, says Gartner.” Near as I can tell, this is the sort of half-thought through analysis which Gartner sometimes spews, to the great detriment of their reputation. (To be fair, I can only see what other […]


Breaches: Coverup & Disclosure

There’s an interesting case of breach non-disclosure documented in the Edmonton Sun, “Privacy breach at MacEwan.” It’s interesting for a few reasons. First, the breach wasn’t disclosed: MacEwan College was cited in the auditor general’s report this week after a tipster told the AG’s office about the security breach in 2006. It mirrored access problems […]


Breach Laws Charts

At The Privacy Symposium that Harvard Law just held, I had a fascinating conversation with Julie Machal-Fulks of the law firm of Scott & Scott. Scott and Scott have published a one page breach laws chart, with just five variables. Julie Brill of the Vermont Attorney General’s office also mentioned that she maintains a chart. […]


EWeek on The Gap Breach

Lisa Vaas has a great article in eWeek, “Let’s Demand Names in Data Fumbles” That unnamed vendor should indeed be taken to task. The Gap is now in the process of contacting an enormous number of people in the United States and Canada whose information may have been compromised, and it’s providing credit reporting services […]


Connecticut Sues Accenture over Ohio Breach

As reported in the Scott and Scott Business and Technology law blog: Connecticut hired Accenture to develop network systems that would allow it to consolidate payroll, accounting, personnel and other functions. Information related to Connecticut’s employees was contained on a data tape stolen from the car of an Accenture intern working on an unrelated, though […]


Once more into the Ameritrade Breach

Last week, I wrote: It appears that Ameritrade is getting ahead of the story. Rather than have it dribble out by accident, they’re shaping the news by sending out a press release. On further reading, both from readers commenting on that article, and things like Network World, “Ameritrade customers vent about data breach:” The Ameritrade […]


Motley Fool on SIAC

Case in point: SAIC confessed in July that “information … stored on a single, SAIC-owned, non-secure server at a small SAIC location, and in some cases … transmitted over the Internet in an unencrypted form … was placed at risk for potential compromise.” In the context of other firms having actual knowledge of miscreants accessing […]



Adam mentioned the recently-announced Ameritrade incident. One thing I found interesting is their decision to hire ID Analytics to determine whether ID theft follows this data breach. According to an ID Analytics press release, the US Veterans’ Administration did something similar when several million veterans’ information was revealed. At a cost of $25,000 (according to […]


Analyzing The TD Ameritrade Disclosure

In a press release, TD Ameritrade this morning confirmed reports that it has been informing customers of a potential security breach. The release does not confirm the figure of 6.3 million customers, but a company spokesperson did give that number to reporters in interviews. (Dark Reading, “TD Ameritrade Breach Affects 6.3M Customers.”) It appeared that […]


Pfizer's little problem

For the third straight month, the pharmaceutical giant is reporting a serious security breach that may have resulted in the loss of personal data belonging to current and/or former employees. The most recent breach, reported last week, involves the potential theft of personal data on some 34,000 current and former workers at the company. … […]


Harvard Business Review on Breaches

Via Chris Hoff, “Harvard Business Review: Excellent Data Breach Case Study…” we learn that the Harvard Business Review has a case study, “Boss, I think Someone Stole Out Customer Data.” The fictitious company profiled is Flayton Electronics, a regional electronics chain with 32 stores across six states. The premise of the fictitious data breach focuses […]


The "Too Many Notices" Meme

There’s this idea out there that consumers don’t need to be told when their products are broken. Not for things like lead paint on toys, mind you. No one would believe that. It’s when their personal data goes missing. If the company doesn’t think it’s a problem, they should be able to keep it a […]


No, Breach Notification Service is a Good Sign

Over at Dark Reading, there’s a story about First Advantage Membership Services launching a breach notification service. Andrew Conry-Murray starts out: You know data security breaches are way too common when a company builds a business around customer notification of stolen information. and he ends: I applaud companies that comply with notification requirements. It’s the […]


Giving Data to Auditors

In light of well-publicized failures to maintain appropriate controls by the ‘final four’ audit firms, giving data to auditors without a clear and compelling business purpose is a bad idea. It’s such a bad idea, even an auto body shop objects: Auto body repair shops in British Columbia are complaining to the province’s privacy commissioner […]


Second Breach Closure: Verus?

I’ve been fond of saying that no company goes under because of a breach. It used to be there was one exception, CardSystems Solutions. There now appears to be a second, Verus, Inc, a medical information processor that revealed information on customers of at least five hospitals. “Medical IT Contractor Folds After Breaches.” So that […]


Cost of a Breach: $6, not $187?

So TJX recently announced a $118m setaside to deal with the loss of control of 45 million records. Now, I’m not very good at math (if I was, I’d say $2.62, not $3), but it seems to me that the setaside is less than $3 per record. That doesn’t line up with the $187 per […]


Breach outliers: $118m charge for TJX

The Associated Press reports that “TJX profit plunges on costs from massive data breach:” FRAMINGHAM, Mass. (AP) – TJX’s second-quarter profit was cut by more than a half as the discount store owner recorded a $118 million charge due to costs from a massive breach of customer data….About one-tenth of the charge from the data […]


British House of Lords gets it

From a report published August 10 by the House of Lords select committee on science and technology: 5.55.  We further believe that a data security breach notification law would be among the most important advances that the United Kingdom could make in promoting personal Internet security. We recommend that the Government, without waiting for action at […]


I love the emergent chaos of breach analysis

[Updated: see below] Over at Storefront backtalk, Evan Schuman writes “TJX Kiosk Rumors Re-Emerge:” Reports that the attack began using a wireless entry point have been confirmed by multiple investigators, but reports that circulated in March that the attacks began via an in-store employment kiosk have re-emerged. Could both be true? It’s unlikely, as both […]


Hamster Wheel of Pain™, FOIA edition

So, the USDA messes up and, in response to FOIA requests directed to them about tobacco subsidies, sends records containing taxpayer ID numbers (along, one presumes, with names) to the several FOIA requestors. Meanwhile, an enterprising lad sends a FOIA request about data breaches to North Carolina — a state known for tobacco production. That […]


Analysis of GAO report “Personal Information Data Breaches are Frequent”

(Excerpts from a letter to Mr. David Wood of the GAO. The complete letter is here.) I am writing to you today to comment on your recent report, “Personal Information: Data Breaches Are Frequent, but Evidence of Resulting Identity Theft Is Limited, However, the Full Extent Is Unknown” I found GAO’s report and its implied […]


You can’t change your fingerprint

One of the most useful things you can do to protect your passwords is to change them regularly. This bounds the effect of many attacks which obtain your password, by various cracking techniques or by mistakenly entering it in the wrong place. After you’ve changed your password, the old one doesn’t do any good. This […]


The Greek Wiretapping Scandal

“The Athens Affair” is the story all the cool security bloggers are talking about. Now, when Matt Blaze, Bruce Schneier and Steve Bellovin all chime in, it makes life hard for us little guys. I mean, what can I say that they haven’t? Building facilities for wiretapping is dangerous? Covered. Logging is important? Covered. Hah-ha! […]


It’s about more than identity theft

Over at his blog, Alex Hutton responds to my claim that data breaches are not meaningful because of identity theft, saying that “Compliance to External Risk Tolerances (PCI) and Government Breach Reporting Laws *DO* make it significantly about Identity Theft.” (“The ‘Insider Statistic’, Good Data, & Risk.”) Alex’s main point is that it’s not insiders, […]


It’s not all about "identity theft"

There’s a fascinating conversation going on between Chris and Andy Steingruebl in the comments to Data on Data Breaches. In it, Chris writes: If what we care about is reducing ID theft, then maybe all this effort about analyzing breach reports is a sideshow, since for all we know 80% of the revealed PII never […]


Data on Data Breaches

At the FIRST conference in Seville, Spain, I delivered a presentation about “Data on Data Breaches” that Adam and I put together. The slides, with the notes I made to act as “cue cards” for me, are available as a large PDF file on a slow web server. The main points I tried to make […]


My Privacy Enhancing Technologies talk

At the Privacy Enhancing Technologies workshop, there is a ‘rump’ session, designed for work that’s not of sufficient quality to make it into the workshop. (And given that the workshop now has a 20% acceptance rate, there’s some pretty interesting stuff that doesn’t make it in.) I didn’t use it for that, I used it […]


The 'Gay Marriage' of Computer Security?

Reading Dale Carpenter’s post on Volokh,”Big win for SSM in Massachusetts,” I was struck by how similar his narrative is to my thinking around breach notice. He writes (and I emphasize): What’s so striking about the vote today is how dramatically support for SSM has grown in the legislature (and in state public opinion polls) […]


New Hampshire, North Carolina overlap

New Hampshire’s requirement to clue in the AG’s office or your primary regulator took effect 1/31/2007. I have info from NH and NC (but not NY, yet) covering the period since 1/17, so we can see how much overlap there is: NewHampshire NorthCarolina New Hampshire 40 11 North Carolina 11 41 I am eager to […]


Disclosures where they're not required by law

It’s the new normal in the English speaking world. See: “Hard drive stolen from Concordia” hospital in Winnipeg. The Bank of Scotland lost a DVD or DC in the mail, “Bank loses details on 62,000 customers in post.” “Personal banking info goes missing” regarding 120,000 Coastal Community Credit Union in Nanaimo, British Columbia. “Personal information […]


New Hampshire gets it

Via Lyger at, comes word that New Hampshire, one of a handful of U.S. states that require breaches involving personal information to be reported to the state as well as to affected individuals, has made at least some breach notices it has received available on the net. I haven’t had any time to read […]


Fascinating breach detail: Illinois Department of Financial and Professional Regulation

Here’s detail from a InformationWeek story, “Hackers Blamed For Data Breach That Compromised 300,000:” A hacker broke into the computer network at the Illinois Department of Financial and Professional Regulation this past January and accessed a server that held information on about 1,200,000 people who have licenses or applied for licenses with the department. Susan […]


Venn and the art of empirical breach research

As EC readers may recall, I have made various Freedom of Information requests to state governments in order to obtain data regarding breaches reported to them under their various notification laws. This week, I received responses to the latest request I made to New York and North Carolina. New York has 822 pages to send […]


White House Data Breach Prevention Guidelines

So the Office of Management and Budget sent a memo this week, “Safeguarding Against and Responding to the Breach of Personally Identifiable Information.” The cool bit is that the memo directs agencies to act within 120 days, including evaluating their data collection, and continuing collection of personal information only if it’s necessary. Unfortunately, what I […]


Overwhelmed or Under-notified: Consumers and Breach Notices

In asking why customers don’t leave after a breach, there are two theories that people have put forth that are interestingly contradictory. the first is that they don’t know about the breaches. This was suggested by a questioner at Toorcon Seattle. The second is that customers are overwhelmed with notices. This is popular amongst bankers, […]


Premature optimization is the root of all evil

The observation is no less true of legislation than it is of code.
Case in point is the debate over whether to trigger breach notifications when a “reasonable” risk of harm or a “significant” risk of harm exists. Everybody is quick to cite California’s breach law, so I’m going to cite New York’s:


75% of Britons Want to Know

The European Commission has done an “E-Communications Household Survey,” and found that overwhelmingly, “UK internet users want to be informed of data losses:” Most UK residents want to be informed if their personal data is lost or stolen after a corporate security breach, the latest E-Communications Household Survey from the European Commission (EC) has revealed. […]


A quick pointer

Adam has made several posts about it being ‘good for you’ to open up about data breaches. Unfortunately, keeping a lid on the info is a stable equilibrium. This situation is what economists would call an Assurance Game. A quick pointer to a post I made reviewing a very good book on how to get […]


Is that an interesting question?

In a comment on “Why Customers Don’t Flee,” Chris adds “too much work.” I’ll add “too hard to evaluate alternatives.” But before we go much further, I’ll ask, is this the right question? Given that few customers leave after most breaches, is it useful to ask why they’re not leaving, or are there other questions […]


Why Customers Don’t Flee

At Toorcon Seattle yesterday, I presented “Security Breaches are Good for You (like a root canal).” It’s similar to “Security Breaches Are Good for you” (my shmoocon talk) but added a number of points about people agreeing, but not wanting to change. “Psychology & Security & Breaches (Oh My!?)” and “When Do Customers Flee.” I […]


What, me worry?

TJX sales up, again. Via StorefrontBacktalk: …TJX reported Thursday that its April sales increased another 2 percent, to $1.28 billion…. More importantly, for the thirteen weeks ended May 5, 2007, sales reached $4.2 billion, a 7 percent increase over last year’s $3.9 billion.


The Wrong Breach Law

Last week, the Senate Judiciary committee passed the “The Personal Data Privacy and Security Act of 2007” (See more in Security Fix, Federal Data Breach Bills Clear Senate Panel: Much of the debate over the relative strength of the various data-breach notification proposals currently circulating on Capitol Hill centers around the precise trigger for notification. […]


Disclosure in The UK reports “Standard Life customers are hit by breach in security,” and reports that a “Laptop containing Southend children’s social services case notes bought on eBay.” In the US, neither of these would even be news. They’re both small, first time mistakes. Both would probably require notice under state law. However, it’s anarchy in […]


Breaches in SEC Reports

Gregory Fleischer saw my Shmoo talk, and was kind enough to tell me when he found breaches in SEC reports: At your Shmoocon talk you mentioned that you had difficulty finding SEC filings related to security breaches. I was doing some research and came across several SEC filings that discuss security breaches. Generally, these items […]


"The vendor made me do it"?

Via StorefrontBacktalk comes news that Following lawsuits in February against some of the nation’s largest retailers for illegally revealing too much credit card information on printed receipts, two of those retailers are now suing their POS vendors. In the last couple of weeks, two of those retail defendants—Charlotte Russe and Shoe Pavillion—have sued their POS […]


A Market To Be Tapped

I’ve often talked about how people will pay for privacy when they understand the threat. In that light, the New York Times article “Phone Taps in Italy Spur Rush Toward Encryption” is fascinating: Drumming up business would seem to be an easy task for those who sell encrypted cellphones in Italy. All they have to […]


One Third of McAfee Survey Respondents Are Not Paying Attention

So reports Sharon Gaudin in Information Week. Actually, I think she picked up the story as McAfee spun it: “Companies Say Security Breach Could Destroy Their Business:” One-third of companies said in a recent poll that a major security breach could put their company out of business, according to a report from McAfee. The security […]


When Do Customers Flee?

So I’ve long thought that consumers treat breaches as mistakes, and generally don’t care. In reading the Ponemon reports, it seems that the average customer churn is 2%. (I’ll come back to that number.) But it gets worse when you have repeated breaches. In the CSO blog, “What, When and How to Respond to a […]


Disclosure, Discretion and Statistics

One of the very interesting things about mandatory disclosure of breaches is that it adds a layer of legitimacy to the data. If all we have are self-selected reporters, we must investigate what bias that adds. This makes the FBI-CSI report and many others even less useful. New laws that require disclosure give us not […]


"What security people won't share with each other"

Scott Blake has a really interesting 3-part podcast interview with Mike Murray. See Mike’s post, “it never ceases to amaze me what security people won’t share with each other,” and go understand why you should give Scott a demerit. (I’d meant to post this months ago, when Scott did the interview. Oops!)


Frontiers of Data Disclosure

Howard Schmidt made a glib suggestion that made me laugh, but he has a point. He asked why don’t we just take names, social security numbers, and everyone’s mother’s maiden name and put it in a huge searchable database, so everyone knows that it’s not security information and we can once and for all stop […]


Month of Owned Corporations

Richard Bejtlich points to a very dangerous trend in his TaoSecurity blog, the “Month of Owned Corporations“: Thanks to Gadi Evron for pointing me towards the 30 Days of Bots project happening at Support Intelligence. SI monitors various data sources to identify systems conducting attacks and other malicious activity. Last fall they introduced their Digest […]


Psychology & Security & Breaches (Oh My!?)

I’ve been talking about disclosure, and how it has the potential to change the way we work. Before it does that, it needs to change the way we think. Change is hard. There’s a decent argument that many things are the way they are because they’ve emerged that way. There existed a froth of competing […]


Bejtlich gets it: It's about empiricism

When he mentioned my post he cited a new paper titled A Case of Mistaken Identity? News Accounts of Hacker and Organizational Responsibility for Compromised Digital Records, 1980–2006 by Phil Howard and Kris Erickson. Adam highlighted this excerpt 60 percent of the incidents involved organizational mismanagement as a way to question my assertion that insiders […]


On Credit Cards and Being Behind

Just a quick note–you’ve convinced me that my thoughts on credit cards were wrong. (“The Cost of Disclosures, and a Proposal.”) Iang, rG0d and Nick are right. I should have remembered that disclosure is a moral imperative. I’ve also enjoyed the debate with Ken Belva, and will have one final closing post to respond to […]


New Hampshire joins the club

The Granite State requires that security breaches involving PII be reported to the Attorney General: Any person engaged in trade or commerce that is subject to RSA 358-A:3, I shall also notify the regulator which has primary regulatory authority over such trade or commerce. All other persons shall notify the New Hampshire attorney general’s office. […]


UK Story On Breaches and Silence

IT Week in the UK writes, “Companies keep silent on data breaches.” There are a couple of interesting quotes: Jonathan Coad, a media specialist at law firm Swan Turton, said newsworthy breaches are often leaked to the press. “Reporting crime to the police is a double-edged sword as invariably the press has found out about […]


Disclosure Laws, State-by-State

Philip Alexander writes in Intelligent Enterprise about “Data Breach Notification Laws: A State-by-State Perspective.” The article is short and readable, and points to his new book, which is likely a good read.


The Cost of Disclosures, and a Proposal

So there’s a spectre haunting my arguments for disclosure, the spectre of cost. I’m surprised none of my critics have brought it up yet. Mailing notices to people, and handling their questions can be expensive. When the personal data being lost is a credit card number, I don’t care that much. When it’s medical data, […]


See, it can be done

I’ll keep this short since you should all be reading Mordaxus’ latest, not this, but speaking of data… This breach report [pdf] from Community National Bank wasn’t sent to consumers, but you can’t say it was short on details.


Three on Information Sharing

The New York Times has a story, “Teaching the Police to Stay a Step Ahead of Car Theft:” The police have traditionally kept such conversations quiet, fearing they could tip off aspiring thieves. Mr. Bender’s mission is to bring investigators into the digital age and get them to share information, just as their adversaries are […]


We Have Nothing to Fear But Fear Itself

So Ken Belva suggests that we should cordially agree to disagree. (“My Response to Adam Shostack’s Reply on Transparency & Breaches“) I’m happy to be cordial, but I feel compelled to comment on his response. Before I do, I should be clear that I have respect for Ken as a professional, and as someone willing […]


UK NHS & Disclosure: A Moral Imperative Example

From, “Pressure grows for UK data loss disclosure:” As a spokeswoman for the Information Commissioner’s Office told last year: “There is nothing in the Data Protection Act that legally obliges companies to inform customers when these things occur.” But, from the BBC, “Children’s details taken in theft:” Health bosses in Nottinghamshire have issued […]


Response to Ken Belva on Transparency & Breaches

Over at bloginfosec, Ken Belva takes issue with my claim that “security breaches are good for you,” in the aptly titled “Why security breaches are still bad for you…” His summary and response are well thought out, and I’d like to respond to a few of his points. This is a long post because I […]


TJX Commentary

I keep trying to avoid commenting on TJX, and keep getting drawn back in. The amount of news and analysis out there is large, and I’m selecting islands in the clickstream. (Any advice on who’s covering it well would be appreciated.) In “TJX Lawsuits — 45 Million Credit Cards,” Pete Lindstrom mentions that there are […]


Worst Breach Ever?

There’s a lot of headlines about how the TJX “Data Theft Grows To Biggest Ever” (Washington Post). The trouble is, that claim is wrong, and it’s wrong even amended to “Biggest reported ever.” The biggest reported theft of person data is Scott Levine’s theft of over a billion records from Axciom. As the Department of […]


The Sky Is Not Falling–What Can We Learn?

I’d like to respond to two questions posted to my “Security Breaches Are Good For You” post. Antonomasia writes “there are security events other than customer data disclosure – any thoughts on how those can be subjected to evidence-based assessment?” Blivious writes: “What about other kinds of breaches? The apparent moral standard only applies to […]


Security Breaches Are Good for You: My Shmoocon talk

At Shmoocon, I talked about how “Security Breaches are Good for You.” The talk deviated a little from the proposed outline. I blame emergent chaos. Since California’s SB 1386 came into effect, we have recorded public notice of over 500 security breaches. There is a new legal and moral norm emerging: breaches should be disclosed. […]


Holding a Lighted Brand up to Damage

Adam comments on some breach commentary, and quotes Nick Owen saying that breaches are a sign of incompetence. I can’t let this stand un-commented-upon. I believe that that is a dangerous comment, and one that needs to be squashed early. It’s like saying that a bug tracking system with lots of bugs in it is […]


Breaches and Brand Damage

Tim Erlin runs some numbers in “Is Brand Damage a Myth” at Ncircle, and Nick Owen piles follows on with some diplomatically presented thoughts in “Brand Damage, Stock Price and Cockroaches:” My theory is that information security breaches are an indicator of a lack of management competence. Moreover, as discussed previously, information security breaches are […]


Off to Shmoocon!

Where I’ll be explaining that “Security Breaches are good for you.” Come see me speak at 5 PM on Friday. It’ll be … entertaining.


Anarchy in the UK?

Via Silicon Strategy, we learn that “Pressure grows for UK data loss disclosure:” The UK is in desperate need of revisions to laws that govern the disclosure of information relating to data loss or theft, according to security experts. Currently UK organisations that lose sensitive customer or employee data, or expose it to others, do […]


Reports on Reporting, Compliance

A University of Washington researchers Kris Erickson and Philip Howard have an interesting new paper out, “A Case of Mistaken Identity? News Accounts of Hacker and Organizational Responsibility for Compromised Digital Records, 1980–2006.” This is a great survey of the dramatic explosion in reports of breaches. A couple of great quotes: One important outcome of […]


Mommas, Don’t Let Your Babies Grow Up to be County Clerks

At first blush, it seems that an emergency bill in Texas that exempts clerks from state and Federal law about data breaches is a bad thing. However, with closer reading, it looks more like a correction for that pesky old law of unintended consequences. On 23 Feb, the Texas Attorney General ruled that disclosing Social […]


Ignorance is Strength

Via a Stitch in Haste, we learn about more members of the ‘sweep it under the rug’ club: David Oliver Burleson, 49, an anesthesiologist whose license was suspended for two years in October 2005 … acknowledged to the Oregon Board of Medical Examiners that he inappropriately touched women whom he had sedated before surgery. The […]


Jennifer Granick's awesome explantion

Imagine if, in the 1970s, the tobacco companies had patented devices to measure the health effects of smoking, then threatened lawsuits against anyone who researched their products. I’ve never heard such a clear explanation of why threats to security research are bad. From “Patently Bad Move Gags Critics,” in Wired. The same can be said […]


On the TJX Breach

So there’s been a stack of news stories on TJX and the issues with their database. I want to comment on an aspect of the story not getting a lot of coverage. In the Cinciannati Enquirer story, “Fifth Third has role in TJX hole,” Mike Cook is quoted as saying “If you are a consumer […]


Why We Fight

TJX appears to have suffered little financial fallout. Its stock fell just 2 percent yesterday after the company disclosed the new problems, along with its fourth-quarter earnings. For the three months ended Jan. 27, TJX said, profit fell to $205 million from $288 million in the same period a year earlier. Store closings led TJX […]


Data Collection about Breaches

In “Once a data loss report, always a data loss report?” Dissent asks about what we should be collecting and analyzing. Scenario 1: “We thought we had lost a computer with sensitive customer records, but it turns out we didn’t lose it.” Should that entry in a breach list be removed? I think that the […]


Visualizing Breach Data

Using IBM’s cool “Many Eyes” service (now in alpha), I played for a few minutes with some breach data. Nothing more than the size of each entry in Attrition’s database, and its date. Looks kinda cool, I think.


Identity theft numbers: Javelin vs. FTC

So there was a bunch of press last week from a company (Javelin) claiming that ID theft was falling. Consumer Affairs has a long article contrasting Javelin and FTC numbers, well summarized by the claim that “FTC Findings Undercut Industry Claims that Identity Theft Is Declining.” I think that there’s an interesting possibility which isn’t […]


I Was Wrong

I’ve had a conversation recently with a CSO about breach disclosure. His shop had screwed up and exposed, well, an awful lot of social security numbers. They feel really bad about it, and they don’t think anyone will really be hurt. Gosh darn it, he was really sincere. So I take it back. We should […]


Dave Molnar, Call Matt Blaze

Dave Molnar has some good comments on ‘Stolen ID Search.’ He writes, starting with a quote from “ben:” “I can’t believe you are advocating typing your ssn or credit card into a mystery box.” That’s “ben”, commenting at TechCrunch on Stolen ID Search, a service from Trusted ID that will tell you if your social […]


A compromising position

Does Pete Lindstrom need to buy a dictionary? You make the call. In a recent post at Spire Security Viewpoint, he suggests that the folks at might be liars: I am starting to see (and hear) this “100 million records lost since February, 2005” figure referenced in a number of places such that it […]


More on the CIPPIC Report

A few days ago, Chris covered the release of a report from the Canadian Internet Policy and Public Interest Clinic, “Approaches to Security Breach Notification” (PDF). This is highly readable and important analysis. If you care about breaches, read it. I’d like to add some notes from my reading of it. First, the report talks […]


Security Through Obscurity, The Next Big Thing

PCMesh, a Canadian company, has something Better Than Encryption. Encrypted files are still visible on the hard drive. This makes them vulnerable to attack from anyone who is interested enough in the content of the files to spend time trying to decipher them. And with more and more hackers intent on defeating modern encryption algorithms, […]


Report: Approaches to Security Breach Notification

The Canadian Internet Policy and Public Interest Clinic at the University of Ottawa has published a report entitled Approaches to Security Breach Notification[pdf]. From the Introduction: This White Paper considers the need for an explicit obligation in Canadian privacy law to notify affected individuals of a breach in an organization’s security that places those individuals’ […]


Choicepoint reports $50M more expenses, some due to breach

The Atlanta Business Chronicle reports that “ChoicePoint tumbles to third-quarter loss:” ChoicePoint Inc. went into the red in the third quarter, hurt by about $50 million in charges related to asset impairment, stock expenses and legal fees from a data breach in 2005. Choicepoints losses are a severe outlier. As I said in March, 2005, […]


Insuring Against Data Loss Losses

Matt Hines reports on a growing market for corporate insurance, responding to concerns about breach laws, in “Dark Day Planning: Insuring Against Data Loss:” As a result of the widening impact of data losses, AIG has seen its business of providing insurance for potential corporate security failures shift increasingly toward protection for privacy-related risks. Another […]


A Request

My latest request for documents under New York State’s freedom of information law was just responded to. There are 1289 pages of documents covering the period 6/2006 to 12/2006. By way of comparison, my two previous requests covered the period 12/2005 to 5/2006, and yielded 400 pages or so. The nice folks in NY made […]


Hmmm…Breach Notification…Australia…

So there’s an article in ZDNet Australia, “Establish a strategy for security breach notification.” All well and good, but Australia doesn’t have a breach notice law. (As far as I know.) So all you ‘new normal’ skeptics, who don’t believe me that standards are changing ahead of laws…why did a competent journalist writing for editor […]


When Planes Fell From the Sky

The excellent ‘Notes from the Technology Underground’ has some personal recollections of “when planes fell from the sky:” In the 1950s, planes crashed with alarming frequency into city neighborhoods near the Minneapolis-St. Paul airport. At least one devoured a house nearl where I now live, in Southwest Minneapolis. I heard from older neighbors about the […]


Let’s look at some data

Paul Murphy has made some predictions for 2007. EC readers can judge their value.
Mr. Murphy makes one comment on data breaches that I can’t resist reacting to (after the jump), however.


That wasn't so bad after all…

There’s an article in Wall Street and Technology, “When Risk Managers Cry Wolf.” It opens: Avoiding “reputation risk” is a common justification for increasing security measures, protecting customers’ financial information and reporting security breaches in a timely manner. But now more than 18 months after the big ChoicePoint incident when 163,000 bogus accounts were created […]


Breach Bills, and the Role of Encryption

In Grant Gross’s IDG article, “VA Security Breach Bill Criticized by Cybersecurity Group,” CyberSecurity Industry Alliance General Counsel Liz Gasster is quoted extensively: The Veterans Benefits, Health Care, and Information Technology Act, largely focused on veterans’ health-care programs, includes a section on information security requiring the VA to report data breaches of any “sensitive” personal […]


The New Transparency

Sometimes, we Americans forget how lucky we are to live in a country with 51 legislative bodies, all of which can pass laws which affect all of us. By sheer luck, some of those laws will not stink, and a few actually turn out to be useful, not jarringly out-of-tune with the gestalt, and not […]


Carole King said it best

“It’s too late, baby” Yeah, I’m dating myself, but Tapestry was huge, and she and Goffin had some serious songwriting chops. Anyway, the “it” about which it’s too late is, yes, a relationship. An important relationship. A relationship which, while admittedly not exclusive, is “open” in a hopefully honest, fulfilling, respectful way. That relationship is […]


Popping pills

Breach disclosure foes say that notifying those whose personal information may have been revealed in many breaches is costly, and often not commensurate with actual risk to consumers. A well-written example [pdf] can be had from the Political and Economic Research Council, which reports that direct notification costs are about $2.00 per notified person. So, […]


More things to Do With the "Last 4"

Apparently, in Ohio, you’ll be able to vote if you know the last 4 digits of an SSN. As the Cleveland Plain Dealer reports: Voters who don’t have identification will be able to vote at next week’s election by presenting the last four digits of their Social Security number and casting a provisional ballot. Will […]


"Keep Defect Data Public"

The National Highway Traffic Safety Administration (NHTSA) is again bending to the will of the auto industry as the agency is proposing to restrict access to information about consumer complaints, warranty claims and service reports. NHTSA was ordered by Congress to make information about problems with vehicles public after it withheld information about the blowout […]


Giant Waves

Chandler Howell has a great post about giant waves. He quotes extensively from “Monster Rogue Waves” at Damninteresting: More recently, satellite photos and radar imagery have documented the existence of numerous rogue waves, and it turns out that they are far more common than previously thought. During a three-week study in 2001, radar scanning detected […]


"Reservoirs of Data"

Danielle K. Citron has put a new paper on SSRN, “Reservoirs of Danger: The Evolution of Public and Private Law at the Dawn of the Information Age.” It is highly readable for the lay audience, and lays out (what I think is) a strong case for strict liability in personal data breaches. The abstract of […]


Is That Lack of Data Keeping You Safer?

Bob Sullivan has an interesting article, “Is that picture keeping your money safer” in which he takes dueling quotes over the Bank of America Sitekey deployment. Rather than arguing again about Sitekey (see “Easy Pickings for Bank Robbers,”) I’d like to ask why a respected and competent reporter like Bob can’t get a straight answer […]


Comment pointer

Mike Cook, author of the ID Analytics report referred to in a recent Breach Tidbit post, has responded in the comments.


Breach Datasource Design Criteria

 Most readers of these words are probably familiar with at least one of the lists of data breaches commonly referenced in the media and in specialized blogs.  Among these are’s Dataloss, and’s Breach Chronology.  The ID Theft Center also maintains a list (available, it seems, only as a PDF), and various academic researchers […]


Chris Walsh on Dark Reading

Our very own Chris Walsh was featured today on Dark Reading. In “Financial Firms Losing Data”, they profile Chris and his research using the Freedom of Information Act to better quantify the nature of privacy breaches in New York. The results may surprise you…


Worse Than Choicepoint: The FTC?

So part of Choicepoint’s settlement with the FTC was a $5m fund to compensate their victims. Now, there were 167,000 victims, of whom 800+ had their identities abused by fraudsters. None have gotten any money: Jessica Rich, assistant director of the FTC’s division of privacy and identity theft, said in a statement released to AP […]


"Handling Security Breaches Under European Law"

In a comment on “What’s Next in Breach Analysis,” Ian Grigg pointed out the very interesting “Handling Security Breaches Under European Law:” There are as yet no direct equivalents of the mandatory security breach reporting legislation we have seen in the U.S., either at a European Union level or within Europe itself. That is not […]


Breach Tidbit

One of the things people would like to find out is how likely it is that improperly-revealed personal information will be used to commit real fraud. ID Analytics has done some research which they interpret as suggesting that even with focused attacks, where the bad guy is going after SSN and account information, the probability […]


The Future’s So Bright, Let’s Not Wear Blinders

I started this week asking “Is It Time To End the Breaches Category” and “What’s Next In Breach Analysis?” I talked about “Emergent Breach Research,” Chris talked about the theme of the “19th Annual FIRST Conference” including data being out of control. Arthur followed that up with “CSO Breach SOP == FUD?” and pointed out […]


Breach Data

I just received a response to my second Freedom of Information request to the state of New York. I’ll report on this more deeply soon, but in the spirit of breach analytics week, I wanted to throw out a couple of things, based on an extremely superficial examination of the approximately 285 pages I received, […]


CSO Breach SOP == FUD?

Last month, CSO Magazine ran an article “Avoid a Meltdown: Reacting to a Security Breach.” The article had some great advice on breach handling, however as usual, the magazine resorts to scare tactics in order to get its point across. It is articles like this that give CSOs a bad reputation for not understanding business […]


Emergent Breach Research

I talk about research and next steps, but what do I mean? We’re starting to see academics taking a serious look at the data sets we’ve accumulated here and at Attrition, and that’s awesome. I want to see more papers like: “Notification of Data Security Breaches,” by Paul M. Schwartz and Edward J. Janger, forthcoming […]


What’s Next In Breach Analysis?

I asked recently “Is It Time To End the Breaches Category?” I think we, amongst others, have driven real change in expectations. Organizations outside the US, not compelled by any law, have chosen to notify customers. (Examples include a Bank of Montreal latop, the Government of British Columbia, KDDI, a Japanese phone company, the Bank […]


Is It Time To End the Breaches Category?

Looking back to February of 2005, that companies routinely lose control of data entrusted to them was known mostly to security professionals and enthusiasts. Breaches were swept under the rug, and the scope and breadth of the problem was unknown. Thanks to Choicepoint’s dedication to bringing about public debate on the issue, the outstanding reporting […]


$50 Milion for Violating Driver's Privacy in Florida

$50 Million Verdict for Violating Drivers’ Privacy in FL A Florida bank was required to pay $50 million in a class-action settlement resulting from violations of federal privacy law. Fidelity Federal Bank & Trust purchased 656,600 names and addresses from the Florida DMV for use in direct marketing. The purchase violated the Drivers Privacy Protection […]


Wells Fargo to laptop-losing auditor: buh-bye

Via David Lazarus, writing about yet another lost laptop, this one belonging to an an outside auditor working for Wells Fargo: “The auditor had this information because we are required by the Internal Revenue Service to have our health plans audited by independent, qualified public accountants,” said Julia Tunis, a Wells spokeswoman. “The auditor is […]


Breach numbers

I just got a response from North Carolina to my freedom of information request, asking for records pertaining to security breaches resulting in the exposure of personal information. North Carolina requires that such breaches be reported centrally. The data were sent in printed form, in a table obviously derived from a spreadsheet. I hope to […]


Transparency Is Good for the Soul (of Our Profession)

In “Legislating Virtue,” Phill takes me to task for being unclear in “So, this, ummm, friend of mine, umm has a problem with security.” That’s fair. I’ve been saying similar things a lot, and I forget that I need to back up and frame it from time to time. Phill spends a lot of his […]


So, this, ummm, friend of mine, umm has a problem with security

In a comment on “Drowning In Notices,” Phill Hallam-Baker writes: My concern was that if the warning notices become too familiar they loose their impact. It might not just be the case people get blase about seeing them, they might lose their embarassment in sending them. I don’t think people should be more embarrassed about […]


Drowing in Notices?

In “Access controlled by a password,” Phillip Hallam-Baker writes: It probably makes sense to have an exception of this type in the first instance when the law is enacted. Otherwise we may well drown in privacy disclosure notices. I must say, I don’t get this objection. Does it apply to any other bit of information […]


Indiana's Breach Law

Indiana’s breach notification law went into effect on July 1, 2006. An excerpt relevant the “lost laptop” phenomenon: Sec. 2. (a) As used in this chapter, “breach of the security of the system” means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a state or local […]


North Carolina is in the club

From North Carolina’s breach notification law, which took effect on December 1, 2005: (f) In the event a business provides notice to more than 1,000 persons at one time pursuant to this section, the business shall notify, without unreasonable delay, the Consumer Protection Division of the Attorney General’s Office and all consumer reporting agencies that […]


New rules, you say?

Vystar Credit Union was hit by “hackers”, who obtained personal info on 10% or so of their 334,000 customers. The information included “names, addresses, social security numbers, birth dates, mothers’ maiden names and e-mail addresses”, according to Credit union CEO Terry West took a rather old school approach: West said the company noticed the […]



People whine about Sarbanes-Oxley as if it were government accountants with a sense of neither humor nor proportion watching everything an executive does, 24/7. Thing is, much of the actual regulation is courtesy of the Public Company Accounting Oversight Board, a private corporation. My hat is off to the accounting profession, which successfully met an […]


Do Lost Computers Matter?

Over at Concurring Opinions, Dan Filler asks a question that a lot of people are asking: We have seen several stories, recently, about lost or stolen laptops containing troves of private data. These incidents do introduce a risk that the data will be converted to improper uses – most obviously identity fraud – but I […]


Does Lost Data Matter?

At WEIS last week, Allan Friedman presented “Is There a Cost to Privacy Breaches? An Event Study.” The study looked at the effect of a privacy breach on stock value, and roughly concluded that it doesn’t do any harm to the shareholders after a few days. Tom Espiner of ZDNet has an article that explains […]


Never Say Never

Over at Security Incite, Mike Rothman discusses the recovery of the VA laptop: In other good news, they found the missing VA laptop, evidently with all the data intact. That really is great news, but I guess we’ll never get to test Adam Shostack’s contention (link here) that identity thieves could get to all 26 […]


Indistinguishable from magic

The press relase you won’t see. For Immediate Release CATAWBA COUNTY SCHOOL SYSTEM, June 26 — The Catawba County Public School System (NC) announced today that district web site administrators have remedied a configuration error which accidentally resulted in the social security numbers and names of several hundred students being made available via the popular […]


Responsible Transparency?

Over at the ncircle blog, Mike Murray* takes me to task for advocating transparency, and argues for “Responsibility and Disclosure.” His argument is solid: We’ve had a “responsible disclosure” debate in the vulnerability research community for a whole lot of years – the point is simply that, while disclosure forces everyone to be responsible, sometimes, […]


Remembering the Maine

From Maine’s Public Law, Chapter 583, passed April 2006: Sec. 9. 10 MRSA §1348, sub-§5, as enacted by PL 2005, c. 379, §1 and affected by §4, is amended to read: 5 . Notification to state regulators. When notice of a breach of the security of the system is required under subsection 1, the information […]


Breach Quickies

Well, now that America’s Finest News Source is getting into breach coverage, I guess I can move on. See “ Information Stolen” in the Onion. Also, Nick Owen has some good analysis of the Ohio State comedy of errors in “Repurcussions of data loss at Ohio University.” I’m hoping Chris will cover the N+1 Ohio […]


There Will Be No Privacy Chernobyl

Ed Felten asks: What would be the Exxon Valdez of privacy? I’m not sure. I don’t think it will just be a loss of money — Scott explained why it won’t be many small losses, and it’s hard to imagine a large loss where the privacy harm doesn’t seem incidental. So it will have to […]


The New Transparency Imperative

…in the incident last September, somewhat similar to recent problems at the Veterans Affairs Department, senior officials were informed only two days ago, officials told a congressional hearing Friday. None of the victims was notified, they said. … “That’s hogwash,” Rep. Joe Barton, chairman of the Energy and Commerce Committee, told Brooks. “You report directly […]



A merchant is going to feel some pain from the FTC. Visa and MC are going to look bad for not talking about who this merchant is. Jun. 8–Federal officials cannot disclose what national merchant or merchants were involved in a recent debit card security breach that spurred at least two local banks to reissue […]


Is encryption worth it?

Gartner’s Avivah Levitan says it’s better to spend money on encryption than on cleaning up after a data breach, according to a news report on her recent testimony before the US Senate. The problem? Gartner’s method in researching this claim, as best I can tell, relies on looking at a few high-profile cases. Sure, if […]


Small Bits of Chaos

“Los Angeles Consumers File Class Action Lawsuit Against Used-Car Dealer Drive Time For Allegedly Leaking Their Private Financial Information to Unauthorized Third Parties.” “Down To Business: Time To Get Tough On Security Slackers” Rob Preston in Information Week, “Perhaps if the VA secretary faced personal fines or jail time for that foot dragging, those security […]


Maybe they can borrow a few million from the IRS

[T]he VA’s inspector general, George Opfer, said that the agency had been unable to formally notify the affected veterans because “we don’t have 26 million envelopes.” via the Bradenton Herald Now that the funny part is out of the way… Asked the cost for preventing and covering potential losses from identity theft, [VA Secretary] Nicholson […]


Illinois credit freeze now law

Public Law 094-0799 now allows Illinois residents to have a freeze applied to their credit reports. The maximum fee (not applicable to those 65 and over) is $10.00. The law, according to a press release from the governor’s office, takes effect January 1, 2006. Look for other states to continue to pile on, now that […]


A small, but hopeful sign in state breach legislation

A bill sits on Illinois governor Rod Blagojevich’s desk. If he signs it, Illinois will take a step toward meaningful central reporting of breach notifications: 5 (815 ILCS 530/25 new) 6 Sec. 25. Annual reporting. Any State agency that collects 7 personal data and has had a breach of security of the system 8 data […]


Make that 12% of Adults

Rob Lemos convinces me that the better number is “One in 8 (or 9) Americans.” I buy his statement as long as we discuss adults, rather than Americans. Kids are at risk from ID theft, too, even if this incident doesn’t touch them. (Assuming none of the vets has an overlapping SSN, a stolen SSN, […]



8.9% of Americans are at increased risk for ID theft due to that fellow at the veterans administration. Wow. Sure, the 13% at risk for account take-over from Cardsystems was bad, but that was just credit cards. This is about the databases that control our lives. This is horrendous. Maybe we’ll get some better laws […]


"Encryption is hard, let's go shopping!"

On upcoming changes to the Payment Card Industry Data Security Standard: “Today, the requirement is to make all information unreadable wherever it is stored,” Maxwell said. But this encryption requirement is causing so much trouble for merchants that credit card companies are having trouble dealing with requests for alternative measures, he said. In response, changes […]


The Human Element

In one of the soon-to-be countless articles about the VA Incident, Network World’s Ellen Messmer writes: The sad irony in all this is that there are many at the VA who have worked hard to design and install network-based security. But in the “multiple layers of security” everyone is so fond of discussing, the human […]


Breach Notification, the New Normal, and a New Metaphor

Ever wonder if banks are required to tell customers when their systems are hacked? You may be shocked to learn that they are not. Wow. Fifteen months since Choicepoint, and that’s being written? There’s a new set of expectations out there, and it hasn’t taken long to set. Thank you, Choicepoint. The quote leads an […]


Here’s to you, New York

I’ve mentioned before that other than New York, only New Jersey requires that security breaches involving personal identifying information be reported centrally. I hazarded a guess at the time that, unlike NY, NJ would not respond favorably to a freedom of information request for such records, because the mandated reporting is to the state police, […]



In the latest in the ongoing saga of debit cards being reissued after a breach at an unnamed merchant, 3rd-party, or card processor, we learn that unless a crook stands a chance of getting caught, he’ll keep on stealing: These crooks get away with it, and that’s why they keep doing it. They’ve got about […]


Better ID Theft Statistics: 3% of US households in first half 2004

The 2004 National Criminal Victimization Survey includes ID theft data, for the first time. From a CSOOnline blog post, “DOJ Study: ID Theft Hit 3.6M In US:” About 3 percent of all households in the U.S., totaling an estimated 3.6 million families, were hit by some sort of ID theft during the first six months […]


National breach list? Pinch me!

H.R. 3997, the Financial Data Protection Act, is one of the many pieces of legislation proposed in the US to deal with identity theft or notification of security breaches. It was approved by the Financial Services Committee of the House of Representatives on 3/16. I haven’t read the full text of the bill (and it […]


Security Flaws and The Public Conciousness

In “Duped Bride Gets No Sympathy,” Kim Cameron writes about an Ebay scam. What’s interesting to me is some of the language that the scammer used to justify their requests: “Her attacker convinced her to use Western Union due to “a security breach at Paypal”.” (Kim Cameron, summarizing video)…. “Another red flag was the wire-transfer […]


"Suffering in Silence With Data Breaches"

That’s a huge loophole that could be used in almost every incidence of stolen data, said Dan Clements, CEO of, a company that tracks the sale of stolen credit cards on the Web. Every law enforcement agency that receives a crime report is going to consider the case “under investigation,” he said. “Only about […]


Laptop theft

The Register has been on Ernst & Young’s case. The latest Exclusive! talks about a laptop stolen in early January, and how we now know it had info on BP employees, along with those from IBM and others. The article also observes that: It’s difficult to obtain an exact figure on how many people have […]


Breach notification escape mechanisms

In a somewhat incendiary piece published today at, Robert Lemos reports on loopholes in notification laws which permit firms to avoid informing people that their personal information has been revealed. According to the article, which along with unnamed “security experts” also cites industry notable Avivah Levitan, “[t]here are three cases in which a company […]


David Litchfield Asked Me

At Blue Hat, David Litchfield of NGS asked me ‘how many of the issues we see are related to SQL injection?’ I did a review of the breach archive here, and found less than half a dozen that seemed decent candidates: State of Rhode Island, 4,118 or 53,000 CC, Hacker Reeves Namepins, Unknown # Cop […]


NJ prosecutor reports debit card ring has been busted

Story at CNET. In related news, OfficeMax says there’s no evidence they were broken into, and back it up with help of outside experts. I’m done being a Kremlinologist on this one, for now. With as little solid info as has made it into the press, it’s just not worth it. Perhaps some facts will […]


Some additional info on the debit card breach

American Banker has a useful article about the debit card/PIN breach that has been making news. Unfortunately, it is behind a paywall. After reciting the background, the article presents some additional info in Q and A form. Herewith, some fair-use excerpts. All italics emphasis is added. If you have access, I urge you to read […]


Social Security Administration, 300 Million Americans Not Exposed

I just got my “Your Social Security Statement” in the mail. The very first words on the top of it are “Prevent identity theft—protect your social security number.” Inside, it only prints the password to my cell phone last 4 digits. If your bank, school, or employer does worse, ask them why they’re less enlightened […]


Chip and Pin Point-of-Sale Interceptor

Mike Bond at Cambridge University has a page “Chip and PIN (EMV) Point-of-Sale Terminal Interceptor,” in which he documents: Our interceptor is a prototype device which sits between a Point-of-Sale (POS) terminal in a shop and the Chip and PIN card carried by a customer. It listens passively to the electrical signals – “the conversation” […]


CIBC, One Customer's Wire Transfers, Data They Didn't Use

The federal Privacy Commissioner is looking into a faxing incident involving Canadian Imperial Bank of Commerce and one of its clients. The case began last October when CIBC was told by Christine Soda that she had been receiving faxes at her home in Mississauga that were supposed to be going to Gerry McSorley, who runs […]


The wall starts to crack

Merchants and credit card processors are not allowed to store a host of sensitive data, according to Visa and MasterCard. That includes personal identification numbers, or PINs, used to withdraw cash, the three-digit code on the signature panel, and data on the magnetic stripe on the back of credit cards. A Visa spokeswoman would not […]


Citibank card cancellations are likely due to Sam’s Club

So says Gartner analyst Avivah Levitan, as reported in Computerworld. Much has been made recently about a purported “class break” of Citi’s ATMs. A class break being “an attack that breaks every instance of some feature in a security system”. The term was popularized by Bruce Schneier, in Beyond Fear, from which this definition comes. […]


Analysis of University of Texas, 4,000 encrypted SSNs, Laptop

There is no such thing as perfect security. This week, Arthur commented on “40 Million Pounds Sterling Stolen from British Bank.” Mistakes do happen, and its nice to see that not only did the M.D. Anderson Cancer center ensure that their data was stored encrypted, they chose to notify people that it happened: The private […]


Security Breach Resources

I’ve put together a small set of web pages containing links to current and pending legislation, breach listings, various on-line resources, and so on. There is probably not much there that is new to most readers of these words, but the fact that it is in one place may be helpful. The URL is […]


In The Future, Everyone Will be Audited for 20 Years (CardSystems Analysis)

In the largest known compromise of financial data to date, CardSystems Solutions, Inc. and its successor, Solidus Networks, Inc., doing business as Pay By Touch Solutions, have agreed to settle Federal Trade Commission charges that CardSystems’ failure to take appropriate security measures to protect the sensitive information of tens of millions of consumers was an […]


Here's a name: Wal-Mart

Via lyger of the Dataloss mailing list, I learned of an article claiming that Wal-Mart may be the big-box retailer involved in several high-profile card reissues stemming from a breach which led to an international series of card frauds. In what appears to be a widening incident, Bank of America, MasterCard and Visa all announced […]


SarBox and Breaches

Earlier today Chris wrote (“Naming names isn’t always bad“): A quick aside to optionsScalper, since you mentioned a firm’s duty to shareholders: when it comes to thinking about breach notices, I think about the efficient markets hypothesis, and whether investors might rationally think that failure to protect data might impact future profitability. Bugger efficient markets! […]