Never trust the first number announced in a data breach

[Inga Goddijn <inga () riskbasedsecurity com>]

http://qz.com/517649/never-trust-the-first-number-announced-in-a-data-breach/

Last week, T-Mobile revealed that hackers had stolen records for
“approximately” 15 million of its customers. How approximate? If history is
any guide, very approximate.

When a company or government agency suffers a data breach, the number of
records they say were lost are often preliminary estimates, whether they
say so or not. Typically, the investigation has only just begun. So they
announce a number and go back to investigating, digging into the voluminous
activity logs in their security systems.

As a result, large data breaches tend to grow even larger over time.
Target, for instance, initially revealed
<http://pressroom.target.com/news/target-confirms-unauthorized-access-to-payment-card-data-in-u-s-stores>
that 40 million payment cards had been stolen from the retailer, but also
said it was still conducting a “thorough investigation.” That foreshadowed
its later announcement
<http://pressroom.target.com/news/target-provides-update-on-data-breach-and-financial-performance>
that 70 million additional records had been compromised.

Consider that most of these large organizations with sensitive records are
drowning in alerts from sophisticated security systems that bleep and bloop
all day, every day. Separating the important bleeps from the meaningless
bloops is increasingly difficult. That’s one reason why nearly half of all
network intrusions take months to discover, according to a Verizon report
<http://www.verizonenterprise.com/DBIR/2015/>, and those discoveries are
usually made by law enforcement, not the organizations themselves.

Data forensics is difficult work. “Attacks can take so much data for so
long a period of time, it’s nearly impossible to know how much was lost,”
said Salvatore Stolfo, head of the intrusion detection lab at Columbia
University.

Organizations sometimes are forced to estimate the scale of attacks based
simply on the total number of records in compromised databases and servers.
Another way to measure the breach’s scope, according to Stolfo, is to find
the stolen data posted online. In the case of Adobe’s 2013 data breach, 3
million compromised accounts quickly turned into 38 million; then experts
found an online dump that appeared to be the Adobe data, and it included 150
million records
<http://krebsonsecurity.com/2013/10/adobe-breach-impacted-at-least-38-million-users/>
.

Organizations that have been hacked usually signal that the size of the
breach is likely to grow larger.

Adobe’s first statement said
<http://blogs.adobe.com/conversations/2013/10/important-customer-security-announcement.html>,
“Our investigation currently indicates…”

Home Depot initially said
<http://media.corporate-ir.net/media_files/IROL/63/63646/HD_Data_Update_II_9-18-14.pdf>,
“The company’s ongoing investigation has determined…”

When hackers first revealed that American tax returns had been stolen
earlier this year, the US Internal Revenue Service said
<http://www.irs.gov/uac/Newsroom/IRS-Statement-on-the-Get-Transcript-Application>,
“The matter is under review.” The number of affected taxpayers later
tripled in size.

Likewise, when the US Office of Personnel Management lost the records of
millions of government employees, it first said
<https://www.opm.gov/news/releases/2015/06/opm-to-notify-employees-of-cybersecurity-incident/>,
“Since the investigation is on-going, additional PII exposures may come to
light,” referring to personally identifiable information. The number grew
from 4 million to nearly 26 million in about a month.

T-Mobile is currently in the post-announcement investigation stage,
checking out a particular bleep, searching through logs and records.
Experian, the record-keeping vendor that lost T-Mobile’s data, has been
here before. Last year, one of its subsidiaries, Court Ventures, lost 200
million records in a peculiar breach where the culprit was actually a paying
customer <http://www.experian.com/blogs/news/2014/03/30/court-ventures/>.

T-Mobile CEO John Legere released a statement after the incident saying
he’s “incredibly angry” with Experian and that T-Mobile will “institute a
thorough review of our relationship” with the vendor.
His statement also said, “The investigation is ongoing.”

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!