100 million... the gloves come off.

Thu Dec 14 20:31:40 EDT 2006


I'm going to preface this entire rant with one caveat: I have respect for Beth Givens and Privacy Rights Clearinghouse for their efforts to promote awareness regarding data breaches that involve personally identifying information. I have respect for other groups and entities who care enough to report these breaches, analyze them, and provide meaningful and insightful commentary and analysis. However:

I really have a hard time respecting journalists who fail to do basic background research regarding this topic, especially when their writings openly praise the "popular kids at school" and fully ignore the hard work of others who make those "kids" so popular.

Cases in point:
27B Stroke 6: Data Spills: 100 Million Served

IT Week: Victims of identity theft top 100m

CSO Blogs: What's 100 million secrets between friends?

Here's a little bit of information for those who haven't yet been informed: Attrition.org, along with PogoWasRight.org, are the ones who feed Privacy Rights Clearinghouse their "list". From the PRC web page, verbatim:

# Attrition, www.attrition.org/dataloss includes links to news articles for the breaches listed on this page and offers free e-mail list-serve on the latest breaches, www.attrition.org/security/dataloss.html. Most of the breaches summarized on this page have been obtained from the Dataloss list-serve which in turn provides links to news stories about breaches.

# PogoWasRight and Attrition now collaborate in providing up-to-date information about security breaches (Sept. 2006), www.pogowasright.org.

# Attrition now provides an open source database of its data breach records, called the Data Loss Database - Open Source, or DLDOS. It is a flat comma-separated value file that can be imported into a database or spreadsheet program for your own data analysis. Visit attrition.org/dataloss/dataloss.csv.

That's right, you read it. Attrition and PWR, for the most part, FEED PRC'S LIST. Granted, PRC started their list in April of 2005. Attrition started its list in June of 2005. At that time, neither PRC nor Attrition had any knowledge of the other's efforts. For those of you who think the Attrition.org list might have been either "borrowed" from PRC or was my idea to begin with, here's a little insider info:

---------- Forwarded message ----------
From: security curmudgeon (jericho[at]attrition.org)
To: errata submission (errata[at]attrition.org>
Date: Wed, 18 Apr 2001 19:57:03 -0600 (MDT)

we need a new section (and i have several saved pieces for it) that list companies who exposed CC numbers and the like. whether they are security companies or not, i wanna keep a list w/ articles of any of them that leaked CC info

Jericho had this idea over FIVE YEARS AGO. Jericho said "let's make a page listing breaches". We did. Jericho said "let's make a mail list". We did. Jericho said "let's do a database with this info". We did. To PRC and Beth Givens' credit, they have been extremely cooperative and great to work with when we asked for credit regarding our work. But for some reason, journalists seem to go for the easy route and not look into any background. Sorry, Kevin Poulson, this means you. Dissent from PogoWasRight and I have literally spent *dozens* (if not a couple hundred) of hours trying to find new information, post in a timely manner, update a web page, and update AND backfill a database with over 500 breaches. And we get... zilch. In the last eighteen months since we started doing this, Jericho and I have received exactly TWO media requests for information, neither of which were published anywhere. We're not doing this for money, we're not doing this for fame, but goddammit, other than Beth Givens and PRC, we're not getting any credit either. 100 million my ass. The Data Loss Database - Open Source has almost 510 events and over 143 MILLION compromised records as of this writing. 100 million? Dudes and dudettes, we had that over six months ago.

Do I sound bitter? Yes. Frustrated? Absolutely. Do I have a valid point? Hope so. We're doing this because we want to, not because we have to. We're doing it because we care, not because we're looking for government grants or private funding (although that might be nice). One last time, nothing against Beth Givens, PRC, or anyone else, but we're working hard to provide this information and we get very little recognition in return, especially from the media. Then again, why should that be surprising? We fought this very same battle a long time ago with the Defacement Mirror during the first year it was maintained.

We're not "the popular kids", but when we get stuff done, we do it right.

main page ATTRITION feedback