BreachExchange mailing list archives
Re: 88 million... is it really an accurate number?
From: blitz <blitz () strikenet kicks-ass net>
Date: Tue, 27 Jun 2006 17:42:19 -0400
Note, they're now claiming the VA losses at 28.7 million, due to spousal info. http://www.newswithviews.com/Stuter/stuter94.htm At 17:30 6/27/2006, you wrote:
For the past few days, I've been doing more research on recent data breaches,especially including types of breaches and numbers affected. One number keepscoming up in the media: 88 million. In many cases, "88 million" is described as the number of compromised records. In other cases, it is described as "Americans" or "people": http://www.first.org/newsroom/globalsecurity/32460.html (Americans) http://biz.yahoo.com/bizwk/060623/b3991041.html (Americans)http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9001282(records) http://www.internetnews.com/security/article.php/3615461 (people) We know that the number 88,000,000 or so has been calculated by adding the number of total people affected from all listed breaches since Choicepoint inFebruary 2005. Looking at this total though, it seems to me that the number is inflated due to the fact that it appears to represent unique individuals. TheVA breach really caused me to take a better look at the situation and rework some of the numbers. In this situation, all numbers are estimates and examples are hypothetical. Let's use 26.5 million as the estimated number of people affected in the VA breach. Because the total U.S. popluation is approaching 300 million, 26.5million would represent one out of every eleven U.S. citizens, or roughly ninepercent. For rounding purposes, let's say about ten percent of U.S. citizens were affected by the VA breach. 88,000,000 total minus 26,500,000 VA ---------------- 61,500,000 non-VA breached Assuming ten percent of the U.S. population has been in the military based on the VA numbers, it would be safe to estimate that about 6.15 million former vets were involved in all other breaches. Those 6.15 million would be duplicated in the VA total, so should be subtracted from the overall total, which would then equal about 81.85 million. But what about other duplicates? I'm sure many people were affected by more than one breach. Those with records in the Choicepoint incident may likely have been affected by the LexisNexis breach. Someone with an Ameriprise account may have been cared for by Providence Home Services. It probably goes on and on to the point that the *unique* number of people affected will probably never be accurately determined. I can understand saying 88 million "records" have been breached, but if we're judging by records and not individuals, then Acxiom would have been the worst breach of all time: http://attrition.org/errata/dataloss/2003/12/acxiom05.html More than a billion records.. but how many individuals? Did each individual have ten records per listing in Acxiom's database? Fifty? A hundred? Did Acxiom really have the records of one-sixth of the world's population in a database? Did the media bother to make this distinction, or just use the number "one billion" for shock value without digging to find the facts? I honestly believe that the media either is using the wrong terminology when referring to "number affected" or doesn't understand the complexity ofquantitatively analyzing how many people are truely affected by data breaches.This may be a point for us all to consider when using overall "totals" as astatistic in the media. While the number of individual records, Americans, orpeople *per incident* may be relatively accurate, 88 million "people" or "Americans" seems high, and it should be the media's responsibility to make this distinction. Lyger _______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/errata/dataloss/
-- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
_______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/errata/dataloss/
Current thread:
- 88 million... is it really an accurate number? lyger (Jun 27)
- Re: 88 million... is it really an accurate number? blitz (Jun 27)
- <Possible follow-ups>
- Re: 88 million... is it really an accurate number? *Hobbit* (Jun 27)
- Re: 88 million... is it really an accurate number? blitz (Jun 27)
- Re: 88 million... is it really an accurate number? lyger (Jun 27)
- Re: 88 million... is it really an accurate number? blitz (Jun 27)