Back in March, the Berkeley Center for Law and Technology put on a great conference, the “Security Breach Notification Symposium.”
It was a fascinating day, and the audio is now online.
Category Archives: breach analysis
Mo-mentum on centralized breach reporting?
A Missouri state bill requiring notification of the state attorney general as well as of individuals whose records have been exposed just took a step closer to becoming law.
As reported in the St. Louis Business Journal on April 1:
Missouri businesses would be required to notify consumers when their personal or financial information is compromised in security breaches, under a bill that received initial approval Wednesday from the Missouri Senate.
[...]
f the personal information of more than 1,000 Missourians has been breached, companies would be required to notify the state attorney general’s office, which would have the authority to seek civil penalties up to $150,000 per security breach, under the bill.
The legislation needs a second vote of approval before moving to the House for similar consideration.
St. Louis Business Journal
Should the bill become law, Missouri would become one of several states requiring centralized notification to state authorities for at least some breaches.
Happy Sunshine Week
March 15-21 is “Sunshine Week“, a government transparency initiative described by its main proponents as
a national initiative to open a dialogue about the importance of open government and freedom of information. Participants include print, broadcast and online news media, civic groups, libraries, non-profits, schools and others interested in the public’s right to know.
The arguments in favor of governmental transparency are numerous and well-known. On a purely pragmatic basis, it is harder to hide misdeeds, inefficiencies, and feather-bedding when anyone can ask you to show your work. Stated simply, quality evidence aids decision-making and reveals entrenched self-dealing, waste, and deception.
Information security folks, particularly New School adherents, should find much to like in this. I want to highlight once again the outstanding work of our friends at DataLossDB.org. In addition to operating what was formerly Attrition.org’s DataLoss database, they have become a central repository for the actual source documents — notification letters, reporting forms, etc. — pertaining to breaches. The majority of these documents have been obtained via — you guessed it — Freedom of Information requests.
By highlighting DataLossDB, I do not mean to slight the actions of others. Since I have been fairly active as a researcher in querying government entities, I know there is a small community of like-minded folks, with DataLossDB having several (and certainly the fastest RonR coders!).
The fact that relatively obscure people — all of whom have day jobs, as far as I know — can assemble an archive of this caliber is a testament to the leverage Freedom of Information laws give to citizens. And we know the information in these materials is valuable when made available broadly because state legislatures have seen the results and are looking to emulate the leaders.
So, with Spring on it’s way — at least at my latitude — here’s to more sunshine.
“No Evidence” and Breach Notice
According to ZDNet, “Coleman donor data breached in January, but donors alerted by Wikileaks not campaign:”
Donors to Minnesota Senator Norm Coleman’s campaign got a rude awakening this week, thanks to an email from Wikileaks. Coleman’s campaign was keeping donor information in an unprotected database that contained names, addresses, emails, credit card numbers and those three-digit codes on the back of cards, Wikileaks told donors in an email.
and
We contacted federal authorities at that time, and they reviewed logs from the server in question as well as additional firewall logs. They indicated that, after reviewing those logs, they did not find evidence that our database was downloaded by any unauthorized party.
I wanted to bring this up, not to laugh at Coleman (that’s Franken’s job, after all), but because we frequently see assertions that “there’s no evidence that…”
As anyone trained in any science knows, absence of evidence is not evidence of absence. At the same time, sometimes there really is sufficient evidence, properly protected, that allows that claim to be made. We need public, documented and debated standards of how such decisions should be made. With such standards, organizations could better make decisions about risk. Additionaly, both regulators and the public could be more comfortable that those piping up about risk were not allowing the payers to call the tune.
The Lastest Big Processor Breach
So it’s now roughly confirmed, except for a few denials from Visa. First there was CardSystems, then Heartland, and maybe there’s at least one more known-to-some criminal breach at a payments processor. A lot of security bloggers have been talking about this, but I figure another day, another breach. Can’t we just get some facts? Do we have to get all wrapped around the secrecy axle?
I wanted to talk a little about this release from the Pennsylvania Credit Union Association, which was the first confirmation of the new breach, and said in passing:
Visa began releasing affected accounts on Monday, February 9, 2009 under CAMS event series US- 2009-0088-IC. They expect to have all accounts released by Friday, February 13. MasterCard began releasing accounts on Wednesday, February 11, 2009 under MC Alert series MCA0150-US-09.
Now, what I found really interesting is the form of those numbers, which apply to “event series” and “alert series.” Visas is “US-2009-0088-IC” If I were to break that down, I’d figure that the 0088 is an event number, and Mastercard’s on MC alert #150.
So before anyone jumps up and says “OMG! 150 breaches! pwn! doom!” let’s analyze. First, either Visa and Mastercard have very different rules about what gets an event or an alert, or very different detection speeds. I think the former is more likely. So given that the networks have different definitions of what an event is, there are at least two professionally defensible definitions, and likely many more.
I wonder what the definitions are, and if they tell us anything about public breach notification rates.
Javelin ID theft survey
Salon reports “Identity theft up, but costs fall sharply:”
In 2008, the number of identity theft cases jumped 22 percent to 9.9 million, according to a study released Monday by Javelin Strategy & Research. The good news is that the cost per incident — including unrecovered losses and legal fees — fell 31 percent to $496.
Javelin, unfortunately, does work with confidential numbers, so we can’t reproduce or analyze their results.
So we can’t tell if this undercuts the idea that breach disclosure laws don’t work. We can tell that the common reporting is wrong, as Kevin Poulsen demonstrates in “Stolen Wallets, Not Hacks, Cause the Most ID Theft? Debunked.”
Via Concurring Opinions
[Update: fixed image url.]
$450 per account? No.
So there’s a claim going around, which is that I believe that a breach costs $450 per account. That claim is not accurate. What was said (and the interview was in email, so I can quote exactly):
(Interviewer) The Hannaford breach resulted in more than $318,000 in gross fraud
losses, according to data reported by 22 financial institutions. More
than 700 accounts were used fraudulently. That’s out of millions that
were breached. Do you find that $318K figure high or about right.(me) That’s about $450 per account, which is inline with the reports of how
the crooks were monetizing their data.
This was reported as:
Adam Shostack, blogger and author of The New School of Information Security, said the expenses turn out to be about $450 for each breached account, which is inline with the estimated figures on for sales of pilfered account data on the black market.
I’m not naming the interviewer, because I don’t want to imply that the fault is his. I answered the question, he quoted me.
What I meant, which I think is clear from context is: “That’s about $450 per abused account, which is inline with the reports of how the crooks were monetizing their data.”
Emergent Chaos regrets … any confusion which may have resulted, and I’d like to thank Patrick Florer for drawing my attention to this.
[Update: Robert Westervelt has updated the original story. Thanks, Robert! I hadn't contacted him because I felt the reporting was not inaccurate.]
Public Perception of Security
So the US Consulate in Jerusalem sold a file cabinet full of secret documents. What I found interesting about the story is the perception of the finder:
Hundreds of files — with social security numbers, bank account numbers and other sensitive U.S. government information — were found in a filing cabinet purchased from the U.S. consulate in Jerusalem through a local auction.
“We couldn’t believe what we found,” said Paula, who purchased the cabinets and asked that her last name not be published. “We thought of calling the American consulate right away, and then we thought, you know they’ll just hide it and say, ‘Oh, we made a mistake.’” (“U.S. Consulate Mistakenly sells secret files in Jerusalem,” Fox News)
Transparency is a powerful idea. There’s little risk in disclosing this incident, except to the career of the person who sold the cabinet. Security professionals on both side know that these things happen. If we talked about the incidents we could assess their frequency and see if there are cost effective ways to prevent these things. I expect that there are, but no one wants to add a layer of bureaucracy for a threat that they can’t really assess. There are too many threats and too many ways to address them.
First Impressions of the 2008 Ponemon Report
So the 2008 Ponemon breach survey is out and I’m reading through it, but I wanted to expand on the headline: “Ponemon Study Shows Data Breach Costs Continue to Rise.”
This is the report’s figure 3:
Left to right, those are “detection and escalation,” notification, “ex-post response” and “lost business.” I note that 2 fell, one is flat, and one rose. The lost business number is a survey estimate, an extrapolation.
I am, to be frank, somewhat skeptical of these lost business numbers. I think that the estimates are now at risk of being “self-feeding,” where people take one of the estimates they’ve seen from prior reports, and build an estimate on that, adding a little “because this is a bad one.”
I’m also pretty surprised to see that 5 industries reported churn rates above 5%. They are healthcare, financial, energy, communications, and ‘services.’ I’m not as skeptical here–these are easier to measure for both the reporter and the surveyor. I am surprised because at least health and financial can have pretty good lock in. I tend to agree with the analysis that “[The] growth in lost business costs demonstrates consumers do not take a breach of their trust and privacy lightly and have not become desensitized to the issue.”
So I’m pretty sure I have readers who have been involved in a breach response process. Can you comment (anonymously if you’d like) about how accurate you think these calculations are? What margin of error would you assign to your own organization’s estimates of lost business?
[Update: Black Fist has interesting and similar analysis in " Risk analysis: Cost of breaches and rolling your own numbers," which I just saw.]
News and a Request from the DataLossDB folks
They’ve added a blotter to add news that isn’t quite breaches, and they’re looking for funds to help with their FOIA requests. Please join me in donating.