[Dataloss] Fwd: 88 million... is it really an accurate number? (fwd)

Fri Jun 30 20:55:18 EDT 2006

I've appreciated reading the discussion about "88 million." That 
number most likely comes from our Chronology of Data Breaches, posted 
on our web site here:
http://www.privacyrights.org/ar/ChronDataBreaches.htm

We have revised the text to reflect number of RECORDS, rather than 
number of INDIVIDUALS.

Thanks for your critical thinking on this matter.

Beth Givens

>Delivered-To: dataloss at attrition.org
>Date: Wed, 28 Jun 2006 09:12:13 -0400 (EDT)
>From: lyger <lyger at attrition.org>
>To: dataloss at attrition.org
>Subject: [Dataloss] 88 million... is it really an accurate number? (fwd)
>Precedence: list
>List-Id: Incidents of Data Loss <dataloss.attrition.org>
>List-Unsubscribe: <https://attrition.org/mailman/listinfo/dataloss>,
>         <mailto:dataloss-request at attrition.org?subject=unsubscribe>
>List-Archive: <http://attrition.org/pipermail/dataloss>
>List-Post: <mailto:dataloss at attrition.org>
>List-Help: <mailto:dataloss-request at attrition.org?subject=help>
>List-Subscribe: <https://attrition.org/mailman/listinfo/dataloss>,
>         <mailto:dataloss-request at attrition.org?subject=subscribe>
>Sender: dataloss-bounces at attrition.org
>Errors-To: dataloss-bounces at attrition.org
>
>
>
>---------- Forwarded message ----------
>From: blitz <blitz at strikenet.kicks-ass.net>
>To: lyger <lyger at attrition.org>
>Date: Wed, 28 Jun 2006 09:08:38 -0400
>Subject: [Dataloss] 88 million... is it really an  accurate number?
>
> >On Tue, 27 Jun 2006, lyger wrote:
>
> >Hobbit's question leads to yet another question regarding uniqueness:
> >
> >You're an American citizen and have three credit cards.  Two are VISAs,
> >one is a MasterCard.  Are you:
> >
> >1.  One "record" because of your name and mailing address,
> >2.  Two "records" because you have two different brands of cards,
> >3.  Three "records" because you have three unique card numbers, or
> >4.  Six records because of the cross-references between your card brands
> >and card numbers that seem to exist in various databases?
> >
> >I can't honestly answer that question, so any insight would be
> >appreciated.  Are combined raw numbers really useful?  Example = Ohio
> >University.  In their four or five breaches, are they counting for
> >uniques?  Did one person's records live on five different breached
> >servers? One media story says 360,000.  Another says 70,000.  Is the media
> >counting "records", "names", "unique individuals", or some other criteria?
> >
> >(if responding, please post below for easier thread-following)
>
>
>Hmm..I see your problem..
>I'd say, every breach, at a different time, or different data, by the
>same or other reason/fault that allowed it to be acquired would
>constitute a separate incident.
>
>In other words, is XYZ company lost your personally identifiable info
>on Monday, but the thieves came back on Tuesday, and got either the
>same or different data, each would count as a separate incident. This
>would tend to push figures higher, as the invader might of copied A-M
>account data on Monday, and A-Z Tuesday, but since they were on
>different occasions, yes, I'd count them as separate incidents for
>the record. Of course, XYZ would like to say "there was a data loss",
>but as long as we can date the incursions, they should be separate IMHO.
>We ALL know the stats are being manipulated DOWN by those affected
>for liability reasons...so if you can document individual breaches,
>by all means count them as separate.
>
>_______________________________________________
>Dataloss Mailing List (dataloss at attrition.org)
>http://attrition.org/errata/dataloss/

The information, advice, and suggestions contained in this email
should be used as an information source and not as legal advice.

Beth Givens, Director
Privacy Rights Clearinghouse
3100 - 5th Ave., Suite B
San Diego, CA 92103
Voice:  619-298-3396
Fax:  619-298-5681
bgivens at privacyrights.org
http://www.privacyrights.org
+++++++++++++++++++++++++++++++++++++
Join our email newsletter.
http://www.privacyrights.org/subscribe.html