Last week, the US Justice Department charged 11
people with stealing more than 40 million credit- and debit-card
numbers from nine retailers, calling it the
largest U.S. identity theft prosecution. Kudos for all that were involved in this operation. The Chronicles of Dissent blog (One of the best sources of privacy related sources) identified that some of the retailers mentioned did not disclose the breach earlier.
The Wall Street Journal followed the same issue and actually looked into the breach notification process and found out that only four of the eleven chains mentioned by the USDOJ clearly alerted their customers to breaches.
Two others say they never told customers because they never confirmed data were stolen from them and the rest of the retailers wouldn't say whether they made consumer disclosures. The Wall Street Journal also performed searches of their Securities and Exchange Commission filings, Web sites, press releases and news archives turned up no evidence of such disclosures.
So why is it important? Who cares if one notified customers?
Beyond the ethical questions and moral support that we, as an industry, can provide to the victims or victims-to-be there are issues related to the distribution of breach notifications since it is sometimes used as the only source to measure the magnitude of the problem. When the research information (based on the open source DataLossDB ) is not accurate enough due to lack of reporting, one might get the wrong conclusions regarding the data loss problem characteristics. For example, the most recent statistics (January 1st 2008 to June 15th 2008) tells us that the educational sector is the one with most incidents, however those numbers are likely to be wrong.
Two others say they never told customers because they never confirmed data were stolen from them and the rest of the retailers wouldn't say whether they made consumer disclosures. The Wall Street Journal also performed searches of their Securities and Exchange Commission filings, Web sites, press releases and news archives turned up no evidence of such disclosures.
So why is it important? Who cares if one notified customers?
Beyond the ethical questions and moral support that we, as an industry, can provide to the victims or victims-to-be there are issues related to the distribution of breach notifications since it is sometimes used as the only source to measure the magnitude of the problem. When the research information (based on the open source DataLossDB ) is not accurate enough due to lack of reporting, one might get the wrong conclusions regarding the data loss problem characteristics. For example, the most recent statistics (January 1st 2008 to June 15th 2008) tells us that the educational sector is the one with most incidents, however those numbers are likely to be wrong.
It also tells us that the magnitute of the data loss and information breaches are bigger than known to the public. The Attorney General Michael Mukasey is verifying what we knew. The problem is bigger than what is known to the public.
Yes, it does seem like it is the tip of the iceberg after all (see this story on the same topic: 89% of security incidents went unreported in 2007 http://www.net-security.org/secworld.php?id=6380)