Shostack + Friends Blog Archive


How Damaging is a Breach?

overflowing-dam.jpgPete Lindstrom is looking at an important set of questions: How likely is it that a given breach will result in harm to a person? What’s the baseline risk? Data is nonexistent on these questions, which means we get to throw around our pet theories.

For example, we know of 800 ID thefts from the 167,000 Choicepoint victims, all of which happened before notification. We don’t know how many more of those people have been victimized, because no one is collecting data. The breach data we have is collected by three amateur volunteer efforts: ourselves, here at Emergent Chaos, the Privacy Rights Clearinghouse “Chronology of Data Breaches,” and’s Dataloss list. There are also regular reports through ISN, and Dave Farber’s Interesting People List.

While we’re happy that there are amateur efforts, it’s hard to measure the results. To the best of my knowledge, there is no central database of ID theft victims. There is no repository of who’s gotten notices. And thus, no easy way to measure the real human impact of breaches, or see how much crime they enable.

Dam Water” photo by Ed Hidden.

6 comments on "How Damaging is a Breach?"

  • Chris Walsh says:

    Since broadly speaking there is no requirement to report to anyone but the victims and the three CRAs, the information is either locked up (at the credit bureaus) or so widely dispersed that it is difficult to collect.
    I assert that we learn of only the “most newsworthy” breaches, since these are the ones individuals who have been notified actually pipe up about.
    “Newsworthy” in the preceding sentence I think means:
    Shocking to the conscience
    Affecting very large number of people
    Having some quirky aspect
    The state of the art in gathering “comprehensive” data on breaches (forget about individual-level impact for now) amounts to using Google, Lexis/Nexis, and Edgar On-Line.
    My assertion in the second paragraph may be semi-testable, but it requires making some potentially unwarranted assumptions about how “representative” breaches reported to the NY State government are of breaches nationally. I’ll have more to say about this soon (ideally, in Vancouver, oh powerful program committee luminaries)

  • Alex Hutton says:

    Are you looking for data or “baseline risk” of a breach?
    Data, as you say, is problematic. The trouble I see with determining baseline risk (assuming you like your definition of risk to be “amount you will probably lose and how frequently you stand to lose that amount”) is that risk calculations normally require that data. Welcome to catch-22.
    However, I think you can use probabilistic modeling to get a good range with which to arrive at “baseline risk”. Got a link to Mr. Lindstrom?

  • Adam says:

    I’m looking for a baseline of risk for identity theft that’s not the “1.5%” number that includes account takeover and fraud by impersonation.

  • Chris Walsh says:

    In related news…veterans’ (note apostrophe use, Adam) groups are seeking $26.5 billion from the VA in a class-action suit.

  • Alex Hutton says:

    Speaking of the cost of a breach, yesterday DSW announced that earnings were down because of their incident. Has anyone seen how much money loss they allocate to the breach?
    I’m searching and I can’t find anything off their investor relations site.

  • Adam says:

    Did they announce it, or tell the SEC?
    Companies suffering decliing sales love to blame outside factors, rather than exec failures.

Comments are closed.