[Dataloss] security breaches as a result of email

Al Mac macwheel99 at sigecom.net
Wed Oct 11 13:45:59 EDT 2006 

If you dig into archives of this list and the new 
http://attrition.org/dataloss/dldos.html DLDOS data base, there are several 
instances where we have people who are klutzes with respect to how to use 
e-mail, and instead of sending some communication to ONE contact, they send 
something out listing all info on all contacts, or they have some kind of 
data base of info on people and there is a mismatch on who the data is 
supposed to go to.  For example, CSI has data base on everyone who 
requested FBI file on annual computer crime statistics, then they used some 
software package to e-mail those people with some invitation, except it 
mismatched ... info on person-A was sent with the invite to person-B, 
multiplied by however many people involved.

The data base has coding http://attrition.org/dataloss/dldoskey.html as to 
nature of breach that could narrow you down to this kind of relevance, but 
this is something that continues to evolve, and be improved upon by 
feedback here.  I do not see in the chart a coding for the nature of the 
breach:
* laptop gone missing
* dumpster diving
* hacker broke in
* data managers must have been computer illiterates
* data managers must have been privacy illiterates
* e-mail stupidity
* etc.
so if you do a search of the raw data, looking for "e-mail" you going to 
get a lot of hits that what was breached was person's e-mail address

You might go to Privacy Rights Chronology 
http://www.privacyrights.org/ar/ChronDataBreaches.htm and study the whole 
thing, looking for breaches for that reason.

Several different outfits are trying to track this data.  As mentioned in 
an earlier thread, Bill Yurick and a student worked to combine the breach 
data at:
<http://www.projects.ncassr.org/storage-sec/papers/wesii-3.pdf>
        "Beyond Media Hype: Empirical Analysis of Disclosed
          Privacy Breaches 2005-2006 and a DataSet/Database
          Foundation for Future Work"

You might find their graphics informative.  There are some other outfits 
that have done similar work, and I gave Bill links to those I was aware of, 
in case that would help with their efforts.  If you are interested, I could 
dig into the e-mails I sent Bill & forward you, off line from this 
list.  Basically I addressed suggestions for improving the report, and the 
state of privacy protection around the world.

Al Macintyre

>I'm looking for examples or statistics where email (either intentional or 
>not intentional) was the root cause of a security breach.  Can anyone 
>direct me to a web site where I may be able to locate this data?

More information about the Dataloss mailing list