[Med-privacy] critique of GAO report

peter marshall pwm@comcast.net
Thu, 19 Jul 2007 15:16:17 -0700 

--Apple-Mail-1-417747188
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;
	charset=US-ASCII;
	format=flowed

ANALYSIS OF THE GAO REPORT ON BREACH NOTIFICATION

  This report is fascinating and worth reading. However, the way the 
analysis was done might lead to some incorrect conclusions - namely 
that massive credit card theft via computer attacks seldom leads to 
fraud. The report mentions that, "...in reviewing the 24 largest 
breaches reported in the media from January 2000 through June 2005, GAO 
found that 3 included evidence of resulting fraud on existing accounts 
and 1 included evidence of unauthorized creation of new accounts. " 
Yet, the report also mentions that "In addition, in 2005 FTC settled 
charges with BJ's Wholesale Club in which alleged security breaches 
resulted in several million dollars in fraudulent purchases using 
customers' credit and debit card data. As discussed later in this 
report, FTC has also taken enforcement actions related to data breaches 
at several other companies, including ChoicePoint, CardSystems, and 
DSW, in which it uncovered evidence that the breaches resulted in 
identity theft." The summary mentions three plus one cases, and the 
details mention four specific cases plus "several other companies." 
Undoubtedly, some of those other situations include some form of fraud. 
Perhaps they were left out of the summary counting because either they 
were not among the 24 largest, or they occurred outside of the 
2000-2005 timeframe. Still, they should not be overlooked.

  The report looks at the 24 largest breaches over the space of 
approximately five years. Averaging it out linearly, that's only about 
5 per year. As you can see in any NewsBites over this period, there are 
a much larger number of smaller cases, which this report completely 
overlooks in its analysis. The report briefly mentions 570 breaches 
from January 2005 to December 2006, yet only analyzes a small number of 
the largest of those breaches. But, for the consumers who suffered 
identity theft, these were not trivial cases.

  Furthermore, one of the most common ways that organizations suffering 
a breach discover the situation involves getting notification from the 
credit card companies and back-end banks, which employ complex 
fraud-detection systems. Thus, in a lot of cases, the only way many 
breaches are identified is based on the detection of fraudulent use. 
That fact seems to fly in the face of the conclusions of the report.

  Also, thieves who break into a company's computer systems to steal 
credit card information do so for a reason -- to commit fraud. A laptop 
thief, on the other hand, is often just after hardware for a cheap 
sale. Conflating the two kinds of cases muddies the waters.

  The bottom line here is that the report seems to mix together very 
different kinds of cases - the deliberate hacking into a company to 
steal credit cards and the loss or theft of a laptop with sensitive 
information. It labels both a "breach" and then concludes that most of 
the cases don't involve fraud or identity theft. However, if these two 
types of situations were uncoupled and more cases were analyzed in more 
depth, the number of hacking-related breaches involving fraud would 
certainly look more damning than the report indicates.

  Despite this concern with the analysis, the line of argument above 
does support a primary conclusion of the GAO report. That is, different 
kinds of breaches have different likelihood of exposure of data, and 
therefore perhaps should be treated differently. But, putting aside 
laptop theft, this does not mean that a computer attack that involves 
the theft credit cards is unlikely to result in fraud. Quite the 
opposite is true.

[SANS Institute]
--Apple-Mail-1-417747188
Content-Transfer-Encoding: 7bit
Content-Type: text/enriched;
	charset=US-ASCII

<bold><fontfamily><param>Helvetica</param><color><param>0000,5757,7D7D</param><smaller><smaller>ANALYSIS
OF THE GAO REPORT ON BREACH NOTIFICATION

</smaller></smaller></color><smaller><smaller>

</smaller></smaller></fontfamily></bold><fontfamily><param>Helvetica</param><smaller><smaller>
This report is fascinating and worth reading. However, the way the
analysis was done might lead to some incorrect conclusions - namely
that massive credit card theft via computer attacks seldom leads to
fraud. The report mentions that, "...in reviewing the 24 largest
breaches reported in the media from January 2000 through June 2005,
GAO found that 3 included evidence of resulting fraud on existing
accounts and 1 included evidence of unauthorized creation of new
accounts. " Yet, the report also mentions that "In addition, in 2005
FTC settled charges with BJ's Wholesale Club in which alleged security
breaches resulted in several million dollars in fraudulent purchases
using customers' credit and debit card data. As discussed later in
this report, FTC has also taken enforcement actions related to data
breaches at several other companies, including ChoicePoint,
CardSystems, and DSW, in which it uncovered evidence that the breaches
resulted in identity theft." The summary mentions three plus one
cases, and the details mention four specific cases plus "several other
companies." Undoubtedly, some of those other situations include some
form of fraud. Perhaps they were left out of the summary counting
because either they were not among the 24 largest, or they occurred
outside of the 2000-2005 timeframe. Still, they should not be
overlooked. 


 The report looks at the 24 largest breaches over the space of
approximately five years. Averaging it out linearly, that's only about
5 per year. As you can see in any NewsBites over this period, there
are a much larger number of smaller cases, which this report
completely overlooks in its analysis. The report briefly mentions 570
breaches from January 2005 to December 2006, yet only analyzes a small
number of the largest of those breaches. But, for the consumers who
suffered identity theft, these were not trivial cases. 


 Furthermore, one of the most common ways that organizations suffering
a breach discover the situation involves getting notification from the
credit card companies and back-end banks, which employ complex
fraud-detection systems. Thus, in a lot of cases, the only way many
breaches are identified is based on the detection of fraudulent use.
That fact seems to fly in the face of the conclusions of the report. 


 Also, thieves who break into a company's computer systems to steal
credit card information do so for a reason -- to commit fraud. A
laptop thief, on the other hand, is often just after hardware for a
cheap sale. Conflating the two kinds of cases muddies the waters. 


 The bottom line here is that the report seems to mix together very
different kinds of cases - the deliberate hacking into a company to
steal credit cards and the loss or theft of a laptop with sensitive
information. It labels both a "breach" and then concludes that most of
the cases don't involve fraud or identity theft. However, if these two
types of situations were uncoupled and more cases were analyzed in
more depth, the number of hacking-related breaches involving fraud
would certainly look more damning than the report indicates. 


 Despite this concern with the analysis, the line of argument above
does support a primary conclusion of the GAO report. That is,
different kinds of breaches have different likelihood of exposure of
data, and therefore perhaps should be treated differently. But,
putting aside laptop theft, this does not mean that a computer attack
that involves the theft credit cards is unlikely to result in fraud.
Quite the opposite is true.


[SANS Institute]</smaller></smaller></fontfamily>
--Apple-Mail-1-417747188--