[Dataloss] 88 million... is it really an accurate number? (fwd)

lyger lyger at attrition.org
Wed Jun 28 09:12:13 EDT 2006



---------- Forwarded message ----------
From: blitz <blitz at strikenet.kicks-ass.net>
To: lyger <lyger at attrition.org>
Date: Wed, 28 Jun 2006 09:08:38 -0400
Subject: [Dataloss] 88 million... is it really an  accurate number?

>On Tue, 27 Jun 2006, lyger wrote:

>Hobbit's question leads to yet another question regarding uniqueness:
>
>You're an American citizen and have three credit cards.  Two are VISAs,
>one is a MasterCard.  Are you:
>
>1.  One "record" because of your name and mailing address,
>2.  Two "records" because you have two different brands of cards,
>3.  Three "records" because you have three unique card numbers, or
>4.  Six records because of the cross-references between your card brands
>and card numbers that seem to exist in various databases?
>
>I can't honestly answer that question, so any insight would be
>appreciated.  Are combined raw numbers really useful?  Example = Ohio
>University.  In their four or five breaches, are they counting for
>uniques?  Did one person's records live on five different breached
>servers? One media story says 360,000.  Another says 70,000.  Is the media
>counting "records", "names", "unique individuals", or some other criteria?
>
>(if responding, please post below for easier thread-following)


Hmm..I see your problem..
I'd say, every breach, at a different time, or different data, by the
same or other reason/fault that allowed it to be acquired would
constitute a separate incident.

In other words, is XYZ company lost your personally identifiable info
on Monday, but the thieves came back on Tuesday, and got either the
same or different data, each would count as a separate incident. This
would tend to push figures higher, as the invader might of copied A-M
account data on Monday, and A-Z Tuesday, but since they were on
different occasions, yes, I'd count them as separate incidents for
the record. Of course, XYZ would like to say "there was a data loss",
but as long as we can date the incursions, they should be separate IMHO.
We ALL know the stats are being manipulated DOWN by those affected
for liability reasons...so if you can document individual breaches,
by all means count them as separate.



More information about the Dataloss mailing list