Data breaches are so common that even a theft of a billion records of seriously confidential information barely makes the news. It’s business as usual. Part of the problem is that all the data breaches involving our data become melded together. It seems as if all our personal data is already out there — many times over. So, who cares if it happens once (or ten times) more? We’re numb to yet another attack that includes our personal data. In the beginning we feared every announced data breach. Now we don’t fear any.
I've previously written about the lack of useful risk management data surrounding most data breaches. Specifically, I didn’t like the lack of pertinent facts around each individual data breach, which doesn’t allow stakeholders to determine how bad the breach really was. For example, if a hospital accidentally leaves behind personal medical information in an old office during a move to new office space, it’s called a data breach and treated by reporting entities and databases as being as serious as a malicious data breach where criminals stole data.
The same is true when a website coding error leaves records exposed and a whitehat hacker publicizes it. It’s treated as if malicious hackers have used the vulnerability to pull every record the website has. “A billion records exposed!” scream the headlines, but there is no proof that anyone maliciously pulled a single record. Exposure is a far different risk from actual theft. Unfortunately, the news media often treats them the same.
Every data breach is usually treated like a bad data breach even if the true risk is something less. In my earlier article, I suggested a data breach rating system like what is already in place for reported software vulnerabilities. I got a good response, including dozens of security experts who agreed with me. A few respondents even said they were working on exactly what I was asking for.
Breach Clarity offers insight to breach risk
Last week, one, Jim Van Dyke, CEO of Futurion, showed me his new beta website called Breach Clarity. Van Dyke is a long-time computer technologist and analyst with over 35 years of experience, specializing in fraud and identity management. He has founded several companies, including multiple digital technology-related research firms. He sold his last, Javelin Strategy & Research, and now works full time as an expert witness in in major data breach cases. He was on the Consumer Advisory Board of the U.S. federal Consumer Financial Protection Bureau (CFPB) for three years and has testified to the U.S. House of Representatives. Suffice to say that Van Dyke has some relevant experience in and around data breaches.
Breach Clarity allows any visitor to enter the name of a breached company and find out what information was taken and the relative risk of that particular breach, rated on a scale of 1 to 10, with 10 being the highest. The figures below shows two examples, one high risk and the other relatively low risk.
It shows you not only the relative ranking score, but what types of information were stolen (e.g., name, credit card or Social Security numbers) and tells you what type of fraud risk that particular type of data leads to. It also gives consumers actions they can take to protect their identity and to prevent fraud. In my testing of the site I found a few small bugs, and I didn’t always agree with the rankings. I’m not even sure what goes into the algorithm that determines the scores. However, I’ve never come across a site that makes it so easy to see what information was taken, field by field, and what the potential risk exposure is. It’s a really good start to a very complex problem.
I talked with Van Dyke, and he’s passionate about the subject and has extra personal motivation to help improve the world. That’s a good thing and I’m glad he is working on the problem.
Breach Clarity complements HaveIBeenPwnd
I would love to see a feature where any person could put in their own name and see all the information that has been stolen about them, from what companies and when. That would be a very tough one for anyone to pull off because there is no centralized public (or even private) database that tracks breaches by individual name. That would be the Holy Grail.
If I know that my information was breached from such-and-such a company, I can go to Jim’s site and see what information was taken and get a relative risk score. Many times we aren’t aware of data breaches that involve our information. when I went to Troy Hunt’s HaveIBeenPwnd site, I was shocked at how many times my email address was listed as having been compromised. (Note: Hunt is putting his fantastic site up for sale. Kudos to the lucky buyer and thanks, Troy, for giving us a place to find out how many times our individual records were compromised.)
What we need is a combination of the Breach Clarity and HaveIBeenPwnd services melded together, along with a publicly known algorithm that shows how the different breach severities were determined. I want to clarify that a truly low risk “breach” such as leaving records behind in an old office is not nearly as risky as when a bad guy takes off with my personal information. The intent of the attacker, if known, needs to be part of the equation.
I’m delighted to see progress being made on better risk-ranking of data breaches. These new and evolving services aren’t widespread yet, but they are steps in the right direction. I wish the Van Dykes and Hunts of the world greater success. We need these types of people out there being our advocates.