A new study from ID Analytics provides evidence that you are better off being a victim of a large data breach (e.g. VA 26 millon records) than a small one (your alma mater):
Smaller breaches had a higher misuse rate than larger breaches. Misuse
of personal data ranged from one in 200 identities for breaches of
fewer than 5,000 individuals to a misuse rate of less than one in
10,000 identities for breaches of more than 100,000 individuals.
This is an assertion I made after the VA breach:
If this is true, then it is best for each individual involved to be one
of many; the larger the number of SSNs stolen, the less likely any
individual is to be a victim. So 26.5 million is better than, say, 5
and 300 million would be better still. (Obviously, the best case would
be to not be in this group at all).
This is pretty much the textbook case of “misery loves company.”
If a million people get their data stolen, someone is going to do something about it without you needing to do something.
If a hundred people get their data stolen, it’s probably up to you.
@Dan -
If your point is that the extra attention placed on huge breaches ends up reducing the risk to any individual, it is certainly an interesting one. I think that was something Chris Walsh brought up during the VA breach discussion, and I’ve discussed it as well.
I am a bit skeptical, however, that we can really do anything in the recovery/response phase of a breach that would lead to the 25x improvement suggested by the difference. I think it is simply due to the abundance of records available.
The other thing that got brought up was the length of time that someone has to compromise the IDs…