Since July 1, 2005, attrition.org has "officially" been tracking incidents regarding the theft, loss, or exposure of personally identifiable information (PII). In the months since the creation of the Data Loss web page, Data Loss Mail List, and Data Loss Database (Open Source) (aka "DLDOS"), we have been asked many questions about not only why we maintain these resources but also about what criteria we use to determine the inclusion of events into the mail list, web page, and database. For anyone interested, we feel that we should try to clarify our "requirements" and answer any questions that may arise.
First, we can't "report" what we don't know. In most cases, we will only include events that are reported by a legitimate media source. While we could include blog rumors and tips via email from unverified sources, we feel that it's best to have a verifiable and reputable source of information in case there are any questions or concerns regarding the validity of the information contained in our resources. If an event isn't covered by a reputable media source, there's a good chance we may not include it in our resources. We do understand that work by others such as Chris Walsh, who finds additional breaches through Freedom Of Information Act (FOIA) requests, will uncover breaches not normally reported by media outlets, but attrition.org simply doesn't have the resources to actively pursue such additional information. We applaud Chris for his efforts and hope that he continues to keep up with his endeavors.
Second, we're often asked "why isn't the breach by Company X listed on your web page and/or database?". In many cases, it's a matter explained in the paragraph above; we can't "report" what we don't know. In other cases, we may opt to not include a breach according to various factors:
If another site wishes to include a breach on their list that we choose not to include, that's their choice. Several times, we have been asked about our "methodology" in researching and including breaches on the Data Loss web page and DLDOS. It's actually not rocket science, nor should it be treated as such. While data loss is an interesting topic worthy of research and discussion, our "methodology" has been, and will remain, simple:
In the last couple of years, attrition.org has been listed as one of the primary resources for Privacy Rights Clearinghouse's Chronology, has been interviewed by the United States Government Accountability Office, and has been featured in Symantec's Internet Security Threat Report. While it would be nice to say that we spend hours a day poring over news articles, third-party reports, and dozens of emails every day, the truth remains that what we do is largely unscientific; we have day jobs and personal interests that sometimes don't allow us to put the time and resources into updating the web page and database on an hourly (or even daily) basis. This comment is not meant to seem apologetic; we do what we can, when we can. For those reading this who take a larger interest in the issue and can use our data in a manner that advances research and discussion, we whole-heartedly salute you.
Please give us feedback. We can't promise to implement all suggested changes, but we do read and think about every email we receive, even if it takes a few days or weeks to respond.