Re: Universities riskiest place for SSN

[Valdis Kletnieks <Valdis.Kletnieks () VT EDU>]

On Mon, 08 Nov 2010 13:12:21 EST, Allison F Dolan said:

> Interesting list of risky places to give your SSN - higher ed is #1

> http://finance.yahoo.com/banking-budgeting/article/111238/10-riskiest-places-to-give-your-social-security-number?mod=3Dbb-budgeting

A very serious statistical error renders their conclusions suspect:

"The places are ranked based on the number of data breaches involving Social
Security numbers from January 2009 to October 2010."

No they're not. They're ranked based on the number of *known* breaches.

If "universities" have 100 actual breaches and detect 90+% of them, they end up
higher on the list than somebody who has 150 breaches and detects 60-% of them.
(And let's face it - the same sort of situation that tends to increase the
chances of a breach also means that there's less chance of it being detected,
so it's *not* an unreasonable question in the slightest).

The analysis can't possibly improve after that error. As Eric Case points out,
they're also fuzzy on things like "number of records per breach" or "total
records exposed".  94 million records in the Heartland mess is one breach, as
is 35 student SSNs compromised on a roster sheet.  But they're not at all the
same thing.

Attachment: _bin
Description: