Data Loss: Why we do this

Tue Feb 20 21:01:22 EDT 2007

"Will you remove an entry from the Data Loss web page or DLDOS?"

On a few occasions, Attrition has been asked if we will remove a data loss entry. In many cases, a company's representative feels that since the incident wasn't conclusively proven to have had personal data compromised, it's imperitive that the listing of the company come down as well.

While this is certainly understandable, Attrition will not remove entries of companies with potential data loss incidents. There are several reasons for this -- primarily, Attrition's web page and database are services to the security community, just as a news outlet is. We report on data loss incidents, either confirmed or in question. As part of our reporting, we gather statistics and serve as a record.

Attrition's statistics, for instance, are a very valuable part of the service we provide. Our staff are often questioned on the subject of data loss incidents and current trends in the subject matter, and we have even been asked by the United States government to assist with research regarding said incidents. We feel we are the most comprehensive source for compiling data loss incidents, and not surprisingly the statistics we generate are valuable. To remove a legitimate incident at a company's request compromises the integrity of our statistics, as we are no longer preserving the original data on which our statistical conclusions are drawn... and through such action, that part of our service becomes worthless.

Attrition's data loss web page and database also act as a historical record of such incidents over time. It can only serve its function if it remains an unadultered, unabashed, and unalterable historical record. By making an exception for one company, we would open ourselves to doing the same for all companies -- we would allow any reported incident to be removed by simple request, and the historic nature of this database and the information it preserves would be irrevocably meaningless.

Moreover, our web page and database are often utilized by government agencies and educational institutions during the course of research. Not only could the removal of a company's incident conceivably be confusing, it would also render our data as an unreliable source of information for researchers in general. This also ties into the historical and statistical value of the lists, since both facets of this service are valuable to government entities and private researchers alike.

Most importantly, though, is our ethical stance on the subject -- what our data means to us. We feel that tracking these events is important, and each company that has been victim of a breach or possible breach of personal information is a liability to society as a whole. Too many companies, for fear of bad public relations, go to great lengths to keep security incidents secret... often greater lengths than are taken to actually protect personal information. This has far-reaching consequences if the entity is a commercial one with paying customers whose data may be at risk to unauthorized access. If a company has been compromised, we feel it is irresponsible to sweep the incident under the carpet as if it had not happened. To remove an entry would, we feel, violate our own ethical stance regarding this tendency to hide or deny security incidents.

That said, we do understand and sympathize with the companies who are victims of these breaches. If we can assist in any way with an investigation or research into a particular incident, we're glad to help; simply notify staff[at]

main page ATTRITION feedback