Shostack + Friends Blog Archive


Breach Data

I just received a response to my second Freedom of Information request to the state of New York. I’ll report on this more deeply soon, but in the spirit of breach analytics week, I wanted to throw out a couple of things, based on an extremely superficial examination of the approximately 285 pages I received, representing approximately 45 breaches.
First, only maybe 2-3 of these were educational institutions. The vast preponderance were financial and/or insurance firms. Computer theft, primarily of laptops, was by far and away the leading breach mechanism — I’m talking over half of the reports, maybe even two-thirds (I’ll tally it up and post about this soon). After theft, I’d say it was a toss-up between web site coding/config screw-ups and dumb procedures like mailing out SSNs to the wrong people.
OK, so what does this have to do with data and research? Well, first off I would say that these 45 or so cases differ noticeably from those I got from the same source in NY only four months earlier. Far more laptop thefts reported now, and a much heavier financial services/insurance weight.
Does this reflect a different reality as far as how PII gets revealed, and from whom? Does it reflect an increasing awareness of the need to report? An increased focus on equipment theft as a regulatory compliance issue? I have no idea, and I don’t think anyone else who follows this stuff does, either. At least not any idea for which we have appropriate data to conduct an empirical test.
That, I would say, is our challenge. The analytical tools we have. The theoretically-informed hypotheses we pretty much have. We need better data.
More on this later.