This note highlights examples of large scale exposure
of consumer information through hacking of databases,
loss of computer tapes in transit or theft of laptops.
It covers -
- losses through unauthorised access to personal computers
and corporate networks
- losses through theft or disappearance of computer
tapes, floppy disks and CD-ROMS
- losses through theft, disappearance or merely inadequate
cleanup of laptops, PCs and servers
- losses through data custodians selling data to criminal
entities or merely publishing the data unintentionally
- questions about liability and legislation
- minimising data losses through network management,
vetting and other mechanisms
- official prosecutions, regulators, apologies, alerts
and class actions
- pointers to the legal and other literature
- how much do data losses cost?
supplements discussion in the Security
& InfoCrime, Consumer
Protection and Identity Crime
pages elsewhere on this site.
The incidents highlighted in the following pages
are of interest as indicators of -
persistence of media such as computer tapes in the transfer
of data from one location to another, contrary to claims
that all organisations do (or will) use private/public
in the form of laptops and desktop machines - the server
may be guarded 24/7 but data is accessible when it is
embodied in a laptop that can be stolen in one minute
importance of pretexting
and other social engineering - why crack code or break
doors when data is yours for the asking if you ask nicely,
look plausible and hand over an access fee to custodians
who do not appear to rigorously authenticate your bona
irresponsibility in failing to encrypt sensitive information
or to ensure that data is removed from devices that
are sold by that organisation
significance of legislation that requires organisations
to alert consumers about breaches
reluctance of organisations to provide such alerts and
to accept responsibility for breaches.
how many breaches
It is clear that organisations (including some public
and private sector entities that promote their sensitivity
to consumer concerns or their expertise in data management)
expose personal information that has been placed in their
Some of that information has little detail or is otherwise
of low value, particularly in isolation. Some information,
in contrast, is highly detailed and comprehensive. Some
occurs in formats that are not readily mis-usable by unauthorised
people. Other formats can be easily read by specialists,
novice or even people with no training in writing code.
Some exposure is attributable to incompetence; other exposure
is intentional and involves improper action by people
inside/outside an organisation.
The extent to which exposure occurs during a given period
It is not possible to provide comprehensive and highly
accurate figures on how many credit card numbers, personal
history files, incident reports or other consumer information
were exposed in a particular jurisdiction or a particular
time. Many of the published figures are hedged with uncertainties.
Others are simply invented, on the basis that they make
a good headline (or a good promotional statement) and
are unlikely to be dissected in detail.
That uncertainty reflects several factors.
One reason for uncertainty is that organisations simply
are not aware that there has been a breach, whether through
release of information by an insider or for example through
hacking by someone outside that organisation.
Another reason is that disclosure of problems potentially
results in negative publicity ("would you deal with
a business that doesn't bother to safeguard your information"),
attention by regulators, unwanted compliance costs (eg
funding credit watch reports for affected consumers and
bearing increased insurance rates) and even litigation
by aggrieved consumers.
Some organisations thus preserve market share, executive
bonuses and share prices by keeping quiet about problems.
Others conclude that silence will serve to starve the
hacking industry: keeping quiet will not not stimulate
emulation or alert criminals to potential weaknesses in
network security arrangements. One legislative response,
increasingly common in the US, is to mandate reporting
by organisations to affected consumers.
A third reason is that there are few organisations collecting
and rigorously analysing the disclosures that are made.
Analysis is important for making sense of data losses.
Not all losses are of equal significance.
Some stolen laptops, for example, may contain sensitive
information but that information is inaccessible because
it has been encrypted. Some may contain sensitive information
but that data is of no interest to the thief (or to anyone
who buys the device when it is on-sold) and is accordingly
A fourth reason is that it is often difficult to establish
a clear chain of causation between the exposure of particular
data (often reported grudgingly) and identity theft or
other impacts on individuals.
It is thus common in the US, for example, to issue carefully
crafted legal statements indicating that the organisation
is "not aware" that exposure of information
has resulted in identity theft and offering a short term
palliative such as free credit reference report.
Critics respond that of course the organisation's executives
and lawyers are formally unaware, as the victims have
not yet realised theft has taken place and attributed
that to the organisation's ineptitude.
As later pages of this note indicate, those critics also
comment that identity theft may be a lifetime experience:
the risk does not necessarily cease after six months when
the free report expires.
One point of reference is Ragib Hasan & William Yurcik's
Beyond Media Hype: Empirical Analysis of Disclosed
Privacy Breaches 2005-2006 and a DataSet/Database Foundation
for Future Work.
are they significant?
There has been no large-scale analysis of the cost to
national economies through exposure of data and much of
the literature about the impact on individual organisations
is decidedly anecdotal.
Surveys suggest that consumers do respond negatively
to data losses, which result in erosion of an organisation's
'brand' and support for legal measures (including new
legislation and class-based litigation).
The intensity of those responses appears to be increasing
as consumers become more privacy conscious and as publicity
is given to some of the more egregious breaches, especially
those where the data custodian addressed concerns in a
Many consumers and third parties have noted that in practice
switching costs may be high and opportunities to move
from one organisation to another may be small.
One critic of recurrent losses of data by E&Y for
example commented that its performance may have been poor
but major corporate clients cannot readily move to another
auditor. Another said
you can't trust EDS and Citigroup, who can
you trust? Do you think their competitors are going
to be better: they just haven't been caught
have noted that you don't have a choice of dealing with
government, which maintains a wide range of registers
and other data collections.
Some observers have used different perspectives, looking
at the impact on individuals or at the costs of reengineering
corporate practices to prevent losses. Much of that reengineering
is predicated on the idea that loss of a device or a data
carrier need not mean exposure of information, with laptops
for example being protected by passwords (and files on
that device being encrypted).
next page (networks)