Defacto Damage: Unusual Trends in Loss Figures


September 13, 1999

Brian Martin

A disturbing trend is emerging in computer crime across the United States. A trend that can not easily be passed off as mere coincidence either. With each computer crime comes a figure for damages and losses. Not surprisingly, when media and law enforcement report these figures, they are rarely presented as estimates. These figures are reminiscent of the Software Publishing Association (SPA) and their stupendous ability to narrow in on precise damage figures. The SPA says that $3,074,266,000 in damages occurred as a result of software piracy in the United States in 1997. Ever wonder how the SPA can nail a figure like this down to the last 6,000 dollars?

This ability is migrating from software piracy to computer crime damage figures. Rather than inflate and use an age old tactic in bolstering claims by using precise figures, the ones waving these damage figures around aren't that refined. Every time I see any monetary value placed on computer crime damage, be it software piracy of fallout from a malicious hacker, I always think back to a book I once read. The first two pages of the book How to Lie With Statistics explained this miraculous ability.

Relevant Numbers in Computer Crime

There are several numbers one should be familiar with when discussing computer crime. None of these are necessarily exact figures, but more importantly give a range to help put things in perspective. These numbers have been derived from patterns based on several years of computer crime.

Four Diverse Examples

We can examine four specific cases that illustrate the point and support the trend. Each example involves wildly different means that mysteriously reach the same ends.

One: New York Times (

In September of 1998, the New York Times found themselves victim to hackers who defaced their web page. The intrusion and web page altering occurred on a Sunday morning and left the site down for nine hours. Varying reports followed claiming parts of the web site were still down up to a week later. The intrusion involved compromising between one and a dozen machines in their DMZ. Monday morning, the bulk of their web site appeared to be up and ready, faithfully kicking out news including the newly released Starr Report.

Summary: Between 1 - 12 machines compromised. Up to 24 hours of downtime on a Sunday (typically low traffic compared to weekday). The site does not charge viewers for any service.

Damage tag: $1,500,000. One million five hundred thousand dollars according to some.

Two: Route 66 ISP (

Throughout a significant part of 1998, an ISP located in New Mexico supposedly received a devastating hacker attack. During this lengthy intrusion, hackers kept control of machines despite administrator attempts to boot them off the system. The intruders compromised the customer credit card file containing some 1749 credit card numbers. They went on to deface the web page of the ISP and were eventually blamed for 5% of the customers cancelling service.

Summary: Between 1 - 6 machines compromised. Several months of administrator headache in dealing with intruders. Credit card database compromised.

Damage tag: $1,800,000. One million eight hundred thousand dollars according to some close to the case.

Three: Kevin Mitnick

Perhaps one of the most prolific hackers in the media, Kevin Mitnick's deeds are a matter of legend. Kevin is allegedly responsible for intruding into the networks of Sun Microsystems, Motorola, Fujitsu, Novell, Colorado Supernet, Netcom, Nokia, the Well and other systems. The intrusions are believed to have occurred over a year or more time, involving hundreds of machines. Kevin reputedly stole proprietary source code for operating systems or cellular phones from half a dozen companies. Included in his escapades was the pilfering of the Netcom customer credit card database, almost 20,000 cards.

Pinpointing damage on the Mitnick sage is a monumental task. In the past twelve months, damage figures have dropped from $299,927,389.61 to you guessed it, $1.5 million. Interim figures also pinned damages at between $80 million and $291 million.

Summary: Hundreds of machines compromised over two year span. Proprietary source code to half a dozen operating systems or cellular telephones stolen. Approximately 20,000 credit cards compromised.

Damage Tag: $1,500,000. One million five hundred thousand dollars according to federal prosecutors.

Four: The Phonemasters

In the span of three or more years, three individuals known as the 'phonemasters' infiltrated systems belonging to (list of cos). Demonstrating complete control and access to these systems, federal prosecutors claimed life threatening resources were at risk because of their intrusions. Everything from 911 emergency systems to air traffic control could be shut down with a push of a button. What kind of price do you put on that many human lives?

Damage Tag: $1,850,000. One million eight hundred fifty thousand dollars according to federal prosecutors.


Looking at a damage tag of 1.5 million dollars, we can compare the case of the New York Times with Kevin Mitnick's deeds. A single web page defaced, versus an alleged two year spree of breaking into some of the largest cellular phone manufacturers as well as vendors who create powerful operating systems. The New York Times which involved no theft of information compared to Kevin Mitnick who was believed to have stolen millions of lines of proprietary source code, tens of thousands of credit card numbers and more. Is it coincidence or logic that lead to each having the same damage placed on them?

Perhaps more bizarre is the comparison between Route 66 and the 'phonemasters'. A single ISP with no more than five thousand customers claims the same amount of damages as three hackers compromising hundreds of phone systems, credit bureaus, emergency systems and more. The loss of 1749 credit cards versus the compromise of entire credit companies with access to hundreds of thousands of credit cards. Yet each incident claimed almost the same amount. 1.85 million dollars in supposed damages from each.

Conclusion: The Magic Number

It is extremely ironic that these four drastically different cases of computer crime all ended with roughly the same monetary damage figure. Two claims of 1.5 million and two claims of 1.8 million. It becomes obvious that these claims can not all be right. At best, only two of the four cases could feasibly be accurate and maintain any semblance of logic. I think it more accurate to say that perhaps only a single one is near the actual damage tag. The rest are cashing in on a convenient number that is ideal for public relations and courtrooms.

The next time you are the victim of computer crime, don't bother paying a dime for investigation into the events or the actual damage. Instead, use that money to secure your system while you casually slap on a damage figure of roughly 1.5 million dollars. It is far too easy to use the magic number than to spend time and effort researching the actual damage. After all, you are the victim, why would anyone challenge you.

main page ATTRITION feedback