Comments on: Is Privacy Rights Clearinghouse Purposely Lying?

By: Pete

Pete — Tue, 23 Jan 2007 15:47:12 +0000

@Dan -

An interesting point, but then all credit card numbers and SSNs should be the operative upper bound for the threat assessment – they are used too often not to be.

In addition, after scanning the PRC chronology, I don’t believe they adhere to your process. In fact, they are fairly conservative in what numbers they include in the total, and use the most accurate estimates that exist, except in this case.

It is easy to see why – dropping the 100 million by 40 million (about) would significantly impact their ability to get back to that 100 million number any time soon.

By: Spire Security Viewpoint

Spire Security Viewpoint — Tue, 23 Jan 2007 15:43:57 +0000

Compromise, Loss, Exposure, and Disclosure

Does Chris Walsh need a trim for all his hairsplitting? I have been taken to task by Emergent Chaos for my use of the term lost instead of compromised with respect to Privacy Rights Clearinghouse’s tally for data breaches. [It is particularly telli…

By: Dan Riley

Dan Riley — Tue, 23 Jan 2007 12:20:53 +0000

263,000 is the number of records “confirmed to have left the CardSystems platform”–a lower bound on the number of records “lost”. In threat assessment it is the upper bound that matters. While Perry’s testimony tries hard to make it sound like only those records were shipped offsite, he doesn’t actually say so. Unless there’s a more convincing statement out there, the 40 million records reported to have been exposed remains the operative upper bound for that security breach.

By: Spire Security Viewpoint

Spire Security Viewpoint — Mon, 22 Jan 2007 04:12:31 +0000

Compromise, Loss, Exposure, and Disclosure