BreachExchange mailing list archives
Re: security breaches as a result of email
From: Al Mac <macwheel99 () sigecom net>
Date: Wed, 11 Oct 2006 12:45:59 -0500
If you dig into archives of this list and the new http://attrition.org/dataloss/dldos.html DLDOS data base, there are several instances where we have people who are klutzes with respect to how to use e-mail, and instead of sending some communication to ONE contact, they send something out listing all info on all contacts, or they have some kind of data base of info on people and there is a mismatch on who the data is supposed to go to. For example, CSI has data base on everyone who requested FBI file on annual computer crime statistics, then they used some software package to e-mail those people with some invitation, except it mismatched ... info on person-A was sent with the invite to person-B, multiplied by however many people involved. The data base has coding http://attrition.org/dataloss/dldoskey.html as to nature of breach that could narrow you down to this kind of relevance, but this is something that continues to evolve, and be improved upon by feedback here. I do not see in the chart a coding for the nature of the breach: * laptop gone missing * dumpster diving * hacker broke in * data managers must have been computer illiterates * data managers must have been privacy illiterates * e-mail stupidity * etc. so if you do a search of the raw data, looking for "e-mail" you going to get a lot of hits that what was breached was person's e-mail address You might go to Privacy Rights Chronology http://www.privacyrights.org/ar/ChronDataBreaches.htm and study the whole thing, looking for breaches for that reason. Several different outfits are trying to track this data. As mentioned in an earlier thread, Bill Yurick and a student worked to combine the breach data at: <http://www.projects.ncassr.org/storage-sec/papers/wesii-3.pdf> "Beyond Media Hype: Empirical Analysis of Disclosed Privacy Breaches 2005-2006 and a DataSet/Database Foundation for Future Work" You might find their graphics informative. There are some other outfits that have done similar work, and I gave Bill links to those I was aware of, in case that would help with their efforts. If you are interested, I could dig into the e-mails I sent Bill & forward you, off line from this list. Basically I addressed suggestions for improving the report, and the state of privacy protection around the world. Al Macintyre
I'm looking for examples or statistics where email (either intentional or not intentional) was the root cause of a security breach. Can anyone direct me to a web site where I may be able to locate this data?
_______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tracking more than 136 million compromised records in 416 incidents over 6 years.
Current thread:
- security breaches as a result of email grexpectations (Oct 11)
- Message not available
- Re: security breaches as a result of email Al Mac (Oct 11)
- Re: security breaches as a result of email B.K. DeLong (Oct 11)
- Re: security breaches as a result of email Dennis Opacki (Oct 11)
- Re: security breaches as a result of email Al Mac (Oct 11)
- Message not available