“No Evidence” and Breach Notice

According to ZDNet, “Coleman donor data breached in January, but donors alerted by Wikileaks not campaign:”

Donors to Minnesota Senator Norm Coleman’s campaign got a rude awakening this week, thanks to an email from Wikileaks. Coleman’s campaign was keeping donor information in an unprotected database that contained names, addresses, emails, credit card numbers and those three-digit codes on the back of cards, Wikileaks told donors in an email.

and

We contacted federal authorities at that time, and they reviewed logs from the server in question as well as additional firewall logs. They indicated that, after reviewing those logs, they did not find evidence that our database was downloaded by any unauthorized party.

I wanted to bring this up, not to laugh at Coleman (that’s Franken’s job, after all), but because we frequently see assertions that “there’s no evidence that…”

As anyone trained in any science knows, absence of evidence is not evidence of absence. At the same time, sometimes there really is sufficient evidence, properly protected, that allows that claim to be made. We need public, documented and debated standards of how such decisions should be made. With such standards, organizations could better make decisions about risk. Additionaly, both regulators and the public could be more comfortable that those piping up about risk were not allowing the payers to call the tune.

The Lastest Big Processor Breach

So it’s now roughly confirmed, except for a few denials from Visa. First there was CardSystems, then Heartland, and maybe there’s at least one more known-to-some criminal breach at a payments processor. A lot of security bloggers have been talking about this, but I figure another day, another breach. Can’t we just get some facts? Do we have to get all wrapped around the secrecy axle?

I wanted to talk a little about this release from the Pennsylvania Credit Union Association, which was the first confirmation of the new breach, and said in passing:

Visa began releasing affected accounts on Monday, February 9, 2009 under CAMS event series US- 2009-0088-IC. They expect to have all accounts released by Friday, February 13. MasterCard began releasing accounts on Wednesday, February 11, 2009 under MC Alert series MCA0150-US-09.

Now, what I found really interesting is the form of those numbers, which apply to “event series” and “alert series.” Visas is “US-2009-0088-IC” If I were to break that down, I’d figure that the 0088 is an event number, and Mastercard’s on MC alert #150.

So before anyone jumps up and says “OMG! 150 breaches! pwn! doom!” let’s analyze. First, either Visa and Mastercard have very different rules about what gets an event or an alert, or very different detection speeds. I think the former is more likely. So given that the networks have different definitions of what an event is, there are at least two professionally defensible definitions, and likely many more.

I wonder what the definitions are, and if they tell us anything about public breach notification rates.

Javelin ID theft survey

Javelin_ID_Theft_Survey_adjusted.jpg
Salon reports “Identity theft up, but costs fall sharply:”

In 2008, the number of identity theft cases jumped 22 percent to 9.9 million, according to a study released Monday by Javelin Strategy & Research. The good news is that the cost per incident — including unrecovered losses and legal fees — fell 31 percent to $496.

Javelin, unfortunately, does work with confidential numbers, so we can’t reproduce or analyze their results.

So we can’t tell if this undercuts the idea that breach disclosure laws don’t work. We can tell that the common reporting is wrong, as Kevin Poulsen demonstrates in “Stolen Wallets, Not Hacks, Cause the Most ID Theft? Debunked.”

Via Concurring Opinions
[Update: fixed image url.]

$450 per account? No.

So there’s a claim going around, which is that I believe that a breach costs $450 per account. That claim is not accurate. What was said (and the interview was in email, so I can quote exactly):

(Interviewer) The Hannaford breach resulted in more than $318,000 in gross fraud
losses, according to data reported by 22 financial institutions. More
than 700 accounts were used fraudulently. That’s out of millions that
were breached. Do you find that $318K figure high or about right.

(me) That’s about $450 per account, which is inline with the reports of how
the crooks were monetizing their data.

This was reported as:

Adam Shostack, blogger and author of The New School of Information Security, said the expenses turn out to be about $450 for each breached account, which is inline with the estimated figures on for sales of pilfered account data on the black market.

I’m not naming the interviewer, because I don’t want to imply that the fault is his. I answered the question, he quoted me.

What I meant, which I think is clear from context is: “That’s about $450 per abused account, which is inline with the reports of how the crooks were monetizing their data.”

Emergent Chaos regrets … any confusion which may have resulted, and I’d like to thank Patrick Florer for drawing my attention to this.

[Update: Robert Westervelt has updated the original story. Thanks, Robert! I hadn’t contacted him because I felt the reporting was not inaccurate.]

Public Perception of Security

So the US Consulate in Jerusalem sold a file cabinet full of secret documents. What I found interesting about the story is the perception of the finder:

Hundreds of files — with social security numbers, bank account numbers and other sensitive U.S. government information — were found in a filing cabinet purchased from the U.S. consulate in Jerusalem through a local auction.

“We couldn’t believe what we found,” said Paula, who purchased the cabinets and asked that her last name not be published. “We thought of calling the American consulate right away, and then we thought, you know they’ll just hide it and say, ‘Oh, we made a mistake.'” (“U.S. Consulate Mistakenly sells secret files in Jerusalem,” Fox News)

Transparency is a powerful idea. There’s little risk in disclosing this incident, except to the career of the person who sold the cabinet. Security professionals on both side know that these things happen. If we talked about the incidents we could assess their frequency and see if there are cost effective ways to prevent these things. I expect that there are, but no one wants to add a layer of bureaucracy for a threat that they can’t really assess. There are too many threats and too many ways to address them.

First Impressions of the 2008 Ponemon Report

So the 2008 Ponemon breach survey is out and I’m reading through it, but I wanted to expand on the headline: “Ponemon Study Shows Data Breach Costs Continue to Rise.”

This is the report’s figure 3:

Ponemon Study Breaches.jpg

Left to right, those are “detection and escalation,” notification, “ex-post response” and “lost business.” I note that 2 fell, one is flat, and one rose. The lost business number is a survey estimate, an extrapolation.

I am, to be frank, somewhat skeptical of these lost business numbers. I think that the estimates are now at risk of being “self-feeding,” where people take one of the estimates they’ve seen from prior reports, and build an estimate on that, adding a little “because this is a bad one.”

I’m also pretty surprised to see that 5 industries reported churn rates above 5%. They are healthcare, financial, energy, communications, and ‘services.’ I’m not as skeptical here–these are easier to measure for both the reporter and the surveyor. I am surprised because at least health and financial can have pretty good lock in. I tend to agree with the analysis that “[The] growth in lost business costs demonstrates consumers do not take a breach of their trust and privacy lightly and have not become desensitized to the issue.”

So I’m pretty sure I have readers who have been involved in a breach response process. Can you comment (anonymously if you’d like) about how accurate you think these calculations are? What margin of error would you assign to your own organization’s estimates of lost business?

[Update: Black Fist has interesting and similar analysis in “ Risk analysis: Cost of breaches and rolling your own numbers,” which I just saw.]

A few Heartland links

Well, Mordaxus got the story, but I’ll add some links I found interesting or relevant.

StoreFront BackTalk has From The Heartland Breach To Second Guessing Service Providers. Dave G at Matasano added “Heartland’s PCI certification.” The Emergent Chaos time travel team already covered that angle in “Massachusetts Analyzes its Breach Reports:”

What’s exciting about this is that we’re seeing the PCI standard being tested against empirical data about its effectiveness. Admittedly, the report jumps to conclusions from a single data point, but this is new for security. The idea that we can take a set of “best practices” and subject them to a real test is new.

Rich Mogull points out that:

This was also another case that was discovered by initially detecting fraud in the system that was traced back to the origin, rather than through their own internal security controls.

IDS users, vendors or advocates care to comment on why that’s happening?

Breach Misdirection

While we were all paying attention to the Inauguration and having merry debates about how many Justices can deliver the Oath of Office on a pin, what may be the biggest breach ever tried to tiptoe past.

Heartland Payment Systems may have lost 100 million credit card details, surpassing the 94 million that was lost in the TJX breach.

There aren’t many details, yet. Apparently the hackers were on the network for months, having gotten in through malware.

We will of course hear many more details on this. The USA Today article has some news. AP has the best reporting I’ve read, but they are ambivalent about pixels, so you’ll have to find it on your own.

Massachusetts Analyzes its Breach Reports

Mass Data Breach Report.jpg
In “Report On The M.G.L. Chapter 93H Notifications,” the Office of Consumer Affairs analyzes the breach notices which have come in. The report is a lot shorter than the “Maine Breach Study,” coming in at a mere four pages.

There are many interesting bits in those four pages, but the two that really jumped out at me are:

  • The Hannaford incident suggests that the Payment Card Industry Data Security Standards are not an effective standard in light of the need for encryption.

    and

  • The Hannaford breach (as understood in light of the HSBC notification) illustrates that data breaches not amounting to the breach of “personal information” have the potential to be as damaging as those that do involve such information.

What’s exciting about this is that we’re seeing the PCI standard being tested against empirical data about its effectiveness. Admittedly, the report jumps to conclusions from a single data point, but this is new for security. The idea that we can take a set of “best practices” and subject them to a real test is new. It might, if you’ll forgive me, even be New School.

Evidence of Time Travel Found in China

The twain meeting

According to Ananova, a Swiss watch-ring has been found covered in dirt in a four-hundred year old Ming dynasty tomb. The watch was found, covered in dirt. It was stopped at the time 10:06 and has the word, “Swiss” engraved on the back.

The archaeologists on the dig have requested archaeologists from Beijing to help them unravel the mystery.

Emergent Chaos contacted the Hong Kong representatives of Allied Epochs, a time-travel law enforcement agency, who told us that an investigation into the matter is already ongoing, but no report on the incident is available yet.

Do Security Breaches Cost Customers?

Adam Dodge, building on research by Ponemon and Debix, says “Breaches Cost Companies Customers,” and Alan Shimel dissents in “Do data breaches really cost companies customers?”

Me, I think it’s time we get deeper into what this means.

First, the customers. Should they abandon a relationship because the organization has a security problem? To answer this, we first need to look at the type of organization. For governmental organizations, it’s very hard. They won’t let you go, and if they do, they won’t destroy your dossier the dossier about you.

For regulated entities, they generally may not delete the information they collected for some number of years (varies, but always sufficient for them to lose control of the data again).

For unregulated entities, you can’t (in the US) ask them to delete the database record either.

So for most breaches, the only value to abandoning the relationship is to stop paying the company. Which is a reasonable bit of retribution, but doesn’t actually add to security, and may subtract from it. It could subtract because (assuming you replace the service you were getting) there’s now an additional dossier about you.

Second, what’s the discrepancy? Why do 30% of customers report having closed a relationship, but Ponemon’s own numbers show a range of 2-7%? There are three hypothesis which spring to mind.

  1. Consumers are confused or lying. This would only make sense if you think the American people are idiots. The sort of folks who would think Iraq had chemical weapons in 2002 buy books titled “neurosurgery for dummies.”
  2. Consumers are right, and closing one of several relationships. All those numbers could be right, if consumers are getting more notices than we think. This would be one of many problems with our volunteer based systems for tracking breaches.
  3. The discrepancy is really notices sent versus notices received. That is, people are not opening the “Dear John Doe” letters.

DataLossDB announces awesome new feature

The Data Loss Database, run by the Open Security Foundation, now has a significant new feature: the inclusion of scanned primary source documents.
This means that in addition to being able to determine “the numbers” on an incident, one can also see the exact notification letter used, the reporting form submitted to state government, cover letters directed at (for example) an attorney-general, and the like. Importantly, all the documents have been OCRed, making it possible to search within them.
There are currently several hundred documents in the archive, most of which arrived in the last few days. In order to link the docs to existing breach records quickly, the folks at DataLossDB latched onto a key insight: this is an embarrassingly parallelizable problem. Therefore, a screen is provided to do a bit of matching of scanned docs to existing breach entries. For those without research assistants, crowdsourced data entry is the way to go :^).
If you’re the type of person who is into the details of breaches — and who isn’t? — you should check this out.
Full disclosure: I contributed many of the documents in the archive, and am extremely pleased at what has come of this. The DataLossDB interface is vastly superior to even the vaporware version of my site.

“No evidence the data was misused”

The next time you read a statement that a breached entity has found no evidence of data misuse, remember this: data may have been misused even though entities are unaware of it.

Tim Wilson of Dark Reading provides a current example of why entities should inform customers, this one involving the T-Mobile breach that affected 17 million customers. The company found no evidence of data misuse and based on the recovery of the device and their own investigation, never informed the customers in 2006. But…

For the rest, you’ll have to click over to PogoWasRight.