Everywhere I look, there are data breaches that I would want to include in DataLossDB.org’s database. But as I backfill the database to include incidents reported on my blogs that were never in the database, my research stumbles over tons of other breaches that should also be included. Rather than getting closer and closer to finishing the backfilling task, it’s gotten huger and huger – so much so that I am beginning to think about changing my pseudonym to Sisyphus.
Complicating the task is the fact that we still have a lot of newly revealed breaches that occurred in past years where we have insufficient information to create a reasonable entry in the database. Consider this excerpt from a press release yesterday about Dionne Witherspoon’s sentencing:
According to information submitted to the court by Assistant U.S. Attorney Sherri L. Schornstein, Witherspoon helped organize a highly sophisticated identity theft and fraud ring from December 2006 through March 2010 that included more than 176 corporate and individual victims and at least 765 transactions resulting in approximately $1,446,805 in fraudulently obtained lines of credit and charges to those lines of credit of approximately $88,855.
Witherspoon put together an extensive network of co-conspirators who obtained victims’ identifying information and bank account information by stealing mail from the mailboxes at personal residences located in the District of Columbia and elsewhere.
The network also stole credit card receipts from a medical office in the 7300 block of Wisconsin Avenue NW and from two locations of Johnson’s Flower Shop, at 4200 Wisconsin Ave. NW, Washington, D.C. and 10313 Kensington Ave., Kensington, Md. In addition, credit card receipts and prescriptions were stolen from the CVS Pharmacy at 13th and U Streets NW, and student identifying information was stolen from Howard University.
Whose medical office? Did we know about this before? Did the patients know about this? And what about Johnson’s Flower Shop? That breach was never in the media as far as I can find. Were those customers notified and if so, by whom, and when? And were the Howard University data from a stolen laptop incident we knew about or from some low-tech theft of paper records? And what about the CVS receipts? Did CVS know and report this to HHS/OCR and the patients?
This press release reveals four incidents that should be in the database (or five if you count the two flower shop stores as separate incidents). Four incidents associated with ID theft that we did not know about. That’s four too many, for my money.
There really needs to be a revision in the way breaches are handled so that the public is assured that they will be notified of breaches involved in criminal investigations and that we are provided with sufficient details about these incidents so that we can learn from them. Otherwise, I fear that too many security analyses will continue to focus on high-tech breaches while ignoring the low-tech paper theft incidents that lead to ID theft and fraud.
In the meantime, I’m going to grab more coffee and add a note to myself to add these frustratingly incomplete entries in the database.