How Damaging is a Breach?
Pete Lindstrom is looking at an important set of questions: How likely is it that a given breach will result in harm to a person? What’s the baseline risk? Data is nonexistent on these questions, which means we get to throw around our pet theories.
For example, we know of 800 ID thefts from the 167,000 Choicepoint victims, all of which happened before notification. We don’t know how many more of those people have been victimized, because no one is collecting data. The breach data we have is collected by three
amateur volunteer efforts: ourselves, here at Emergent Chaos, the Privacy Rights Clearinghouse “Chronology of Data Breaches,” and Attrition.org’s Dataloss list. There are also regular reports through ISN, and Dave Farber’s Interesting People List.
While we’re happy that there are amateur efforts, it’s hard to measure the results. To the best of my knowledge, there is no central database of ID theft victims. There is no repository of who’s gotten notices. And thus, no easy way to measure the real human impact of breaches, or see how much crime they enable.
“Dam Water” photo by Ed Hidden.