Comments on: Data on Data Breaches

By: Andy Steingruebl

Andy Steingruebl — Sat, 30 Jun 2007 22:31:50 +0000

I just reponsed to Adam's commentary on the other post and on my own blog... http://securityretentive.blogspot.com/2007/06/data-breaches-and-privacy-violations.html

By: Chris

Chris — Sat, 30 Jun 2007 21:47:05 +0000

I did not read the OIG’s report.
I did notice that the VA had a contract with ID Analytics to assess whether the PII in the large VA breach was used to further ID theft. $25,000 to monitor over 25 million IDs is pretty cheap. Way cheaper than “ID theft insurance”.
I suspect that there will be a movement to this kind of thing. There’s a good argument that absent the sort of data I have been arguing we should gather, such a move is premature.
It is even more premature if you care about things other than ID theft, such as privacy.

By: Dissent

Dissent — Sat, 30 Jun 2007 17:17:58 +0000

I’m still in the process of compiling health-related or medical privacy breach reports from some sources. Suppose it turns out that all cases of ID theft in the sample are associated with insider/employee theft of PII. Then what? Some might argue that those data might suggest there is no need to notify patients in the event of a hack or lost hard drive, but I disagree that ID theft risk is the sole or most important criteria in determining notification.
Did you read that VA OIG report that came out yesterday? The OIG is suggesting that the govt take another look at whether to notify individuals in the event of another incident involving SSN:
“This data loss incident raises concerns over the lack of Government-wide guidance and criteria on what constitutes high risk data for identity theft and credit protection services. Without well thought-out guidance, Federal agencies are likely to make inconsistent decisions about what protections to offer affected individuals. The question arises whether it is a prudent use of Government resources to offer a year of free credit monitoring to nearly 180,000 individuals at risk solely because their SSN was lost in this breach. For example, some law enforcement agencies have taken the position that release of a SSN alone does not put an individual at risk for identity theft. Because data loss is a systemic problem throughout the public and private sector, developing criteria and guidance for assessing risk associated with a breach of sensitive information should not be relegated to any one Department. An example of why Government-wide criteria is needed is evidenced in the Birmingham data loss case, where some of the missing data is from another Federal agency.” (p. 14)
If all they’re concerned about is ID theft, then they will cut notifications way down. But in my opinion, they should be notifying individuals because dammit, we have a right to know if someone with custody of our details lost them or compromised them.

By: Chris

Chris — Sat, 30 Jun 2007 10:45:07 +0000

Your second paragraph contains two points.
1. We don’t know how much reported data breaches contribute to ID theft
2. We don’t know how many data breaches there are in the first place.
I addressed 1) in my response to your previous comment.
2) in other words is “there is an unknown number of undetected breaches”
I fully acknowledge 2), and called it out in the presentation. The data we get from the states gives us more than we typically have been working with, but clearly if a SSN is stolen in the forest and nobody hears it leave the database, it doesn’t get reported to anyone.
You are putting your finger on an important point. If what we care about is reducing ID theft, then maybe all this effort about analyzing breach reports is a sideshow, since for all we know 80% of the revealed PII never gets detected as having been revealed. Or maybe it’s 40%. Or 10%. I am interested in this question because it is a cool question. The policy ramifications are a close second to me. Others may have a different view. One approach to dealing with measuring ID theft (not breaches — ID theft) has been put forward by Chris Hoofnagle, and it involves making banks mandatory reporters. It’s an intriguing concept that (if it doesn’t create other issues) neatly sidesteps the “dark matter” problem.

By: Andy Steingruebl

Andy Steingruebl — Fri, 29 Jun 2007 23:06:18 +0000

What I’m reminded of in this debate is the recent reports from the Mitre folks correlating the CVE data to the CWE data. This allows us to not just judge the number of vulnerabilities per product, etc. but it allows us to understand root causes and know where to spend energy on fixes. Or, it tells us what the easiest to exploit vulnerabilities are, and hence the ones we’re smartest to fix.
Since we don’t know how many of the data breaches we’re seeing result in identity theft vs. other avenues, we don’t actually have any ability to prioritize security. Maybe insiders are actually stealing tons of data, we don’t know it, and we’re instead going to spend a lot of data on laptop security instead of better audit logs… Who knows. We’re operating in a vacuum at this point in time.

By: Chris

Chris — Fri, 29 Jun 2007 19:48:40 +0000

One way to estimate the extent to which having your PII exposed in a breach increases the probability of your becoming an identity theft victim is to watch for the exposed data elements using a fraud detection network. This is something that the folks at ID Analytics offer as a product, actually. I don’t know how effective their fraud detection stuff is, or whether its coverage is biased in any way, but they have a good idea in principle.
Other than using banks as a focal point and having them report on fraud using these stolen elements, I cannot think of another way. Too bad there is so little info available about how the ID Analytics system works, because it is intriguing.
I don’t see any reason, in principle, that this kind of thing couldn’t be done by others (like the credit bureaus) but there may be legal obstacles, and unless they are compelled to do it or can make money at there’s no reason for them to try.
I suppose one could try to determine whether the stolen elements were in the inventory of any black-market sellers, but I do not see how one can gain access to their inventory information. It’s clear that the illicit trade in this stuff is non-trivial, but I honestly do not know that we have anything approaching a comprehensive picture of the landscape.

By: Andy Steingruebl

Andy Steingruebl — Fri, 29 Jun 2007 13:04:26 +0000

What I find interesting about the analysis of the reported breaches is that we don’t have a way to tie individual breaches back to cases of identity theft so that we have some idea of the actual impact of the breaches.
You talk about false negatives (undetected data loss.) It would be illuminating to know how often identity theft happens are a result of these data losses versus other means that aren’t necessarily reported. If we had a way to compare these we’d have a much better idea of root-cause.
For example, in most of the data losses we’ve seen where large amounts of data went missing on laptops, we don’t have any idea whether the laptop was quickly formatted and pawned, or sold to a data broker who used it to commit or help commit identity theft.
Any thoughts on how to tackle this piece of the puzzle?