Re: 88 million... is it really an accurate number? (fwd)

["DAIL, ANDY" <ADAIL () sunocoinc com>]

---------- Forwarded message ----------
From: blitz <blitz () strikenet kicks-ass net>
To: lyger <lyger () attrition org>
Date: Wed, 28 Jun 2006 09:08:38 -0400
Subject: [Dataloss] 88 million... is it really an  accurate number?

> On Tue, 27 Jun 2006, lyger wrote:

> Hobbit's question leads to yet another question regarding uniqueness:
>
> You're an American citizen and have three credit cards.  Two are VISAs,
> one is a MasterCard.  Are you:
>
> 1.  One "record" because of your name and mailing address,
> 2.  Two "records" because you have two different brands of cards, 3.
> Three "records" because you have three unique card numbers, or 4.  Six
> records because of the cross-references between your card brands and
> card numbers that seem to exist in various databases?
>
> I can't honestly answer that question, so any insight would be
> appreciated.  Are combined raw numbers really useful?  Example = Ohio
> University.  In their four or five breaches, are they counting for
> uniques?  Did one person's records live on five different breached
> servers? One media story says 360,000.  Another says 70,000.  Is the
> media counting "records", "names", "unique individuals", or some other
> criteria?
>
> (if responding, please post below for easier thread-following)


Hmm..I see your problem..
I'd say, every breach, at a different time, or different data, by the
same or other reason/fault that allowed it to be acquired would
constitute a separate incident.

In other words, is XYZ company lost your personally identifiable info on
Monday, but the thieves came back on Tuesday, and got either the same or
different data, each would count as a separate incident. This would tend
to push figures higher, as the invader might of copied A-M account data
on Monday, and A-Z Tuesday, but since they were on different occasions,
yes, I'd count them as separate incidents for the record. Of course, XYZ
would like to say "there was a data loss", but as long as we can date
the incursions, they should be separate IMHO. We ALL know the stats are
being manipulated DOWN by those affected for liability reasons...so if
you can document individual breaches, by all means count them as
separate.

_______________________________________________
Dataloss Mailing List (dataloss () attrition org)
http://attrition.org/errata/dataloss/


In addition, many retailers do not keep customer records that allow them
to cross reference a credit card number with a customer name or address
(especially important in lieu of some of the notification laws being
passed).

So, if company A (which only stores card numbers and perhaps expiration
dates) has a breach, their only method of notification would be to
report the incident to their settlement provider (Such as Paymentech),
who will report the incident to the card associations and the bank that
issued the cards, but no agency would then cross reference to see if
that "person" has been affected by another company.  Visa will not check
with American Express, etc.

I personally have been affected 3 times this year.  Once by the Veterans
Administration, once by Wells Fargo Student Loans, and once by Wells
Fargo Home mortgage.   All three were stolen laptops.

This message and any files transmitted with it is intended solely for the designated recipient and may contain 
privileged, proprietary or otherwise private information. Unauthorized use, copying or distribution of this e-mail, in 
whole or in part, is strictly prohibited. If you have received it in error, please notify the sender immediately and 
delete the original and any attachments.
_______________________________________________
Dataloss Mailing List (dataloss () attrition org)
http://attrition.org/errata/dataloss/