So, here’s the thing. I am starting to see (and hear) this "100 million records lost compromised since February, 2005" figure referenced in a number of places such that it has somehow gained credibility. What I wonder is if the Privacy Rights Clearinghouse is blatantly lying by listing the CardSystems’ 40 million records (I am not statistician, but I think that is a full 40% of the total 
), or is just shoddy in its tracking (wink, wink, nudge, nudge).
Or, I could be wrong… but when I read the congressional testimony of the CardSystems’ CEO he clarified that it was actually 263,000 records (a full…ummm….something % of that adjusted 60 million records). The only copy I could come up with quickly was a Google cache but I note this because when I read the statement I remembered this adjustment, which is obviously significant and was covered at least nominally.
So, what do you think? An "oversight" or deliberate? If I were a privacy advocate, I certainly would want the rather substantial correct number of 60 million to be the one that is used, considering it appears to reflect the real numbers better.
Compromise, Loss, Exposure, and Disclosure
Does Chris Walsh need a trim for all his hairsplitting?
I have been taken to task by Emergent Chaos for my use of the term lost instead of compromised with respect to Privacy Rights Clearinghouse’s tally for data breaches. [It is particularly telli…
263,000 is the number of records “confirmed to have left the CardSystems platform”–a lower bound on the number of records “lost”. In threat assessment it is the upper bound that matters. While Perry’s testimony tries hard to make it sound like only those records were shipped offsite, he doesn’t actually say so. Unless there’s a more convincing statement out there, the 40 million records reported to have been exposed remains the operative upper bound for that security breach.
Compromise, Loss, Exposure, and Disclosure
Does Chris Walsh need a trim for all his hairsplitting?
I have been taken to task by Emergent Chaos for my use of the term lost instead of compromised with respect to Privacy Rights Clearinghouse’s tally for data breaches. [It is particularly telli…
@Dan -
An interesting point, but then all credit card numbers and SSNs should be the operative upper bound for the threat assessment – they are used too often not to be.
In addition, after scanning the PRC chronology, I don’t believe they adhere to your process. In fact, they are fairly conservative in what numbers they include in the total, and use the most accurate estimates that exist, except in this case.
It is easy to see why – dropping the 100 million by 40 million (about) would significantly impact their ability to get back to that 100 million number any time soon.