Monthly Archives: September, 2009

Having “fun” with the Data Set

We recently had an inquiry regarding whether or not we could store more details about certain breaches, specifically the type of Hack (for hacked breaches) that was used, or the application that ended up being breached. Neat ideas, of course, and we’ve considered them ourselves on several occasions, given that we have OSVDB as our sister project. We’ve always wanted to use both, or tie them together, however, we run into some issues in doing so. One big one is that we rarely know the cause of a given breach. That information is simply not disclosed the vast majority of the time. Neither is the application that was exploited, in fact, I can’t recall a single instance of a specific vendor’s product being named in our data set (but I suppose there might be a couple if I looked hard enough).

Adding new fields to the database is a fairly straight-forward thing to do, but, we don’t like to do it unless we can at least somewhat consistently populate these fields. A visitor suggested Primary Sources, so for fun, we searched them.

Querying for “sql injection” yields 21 primary sources results, associated with roughly a dozen unique incidents, give or take. It was more results than I thought we’d have, anyways. But more than anything, it made me wonder what other interesting queries could be made. So, I tried a few:

Querying for “search engine” or for “google” yielded some delightful entries about stuff getting indexed.

Querying for “encryption key” had some interesting results where the encryption key had been lost with the encrypted systems/media.

My personal favorite! Querying for “no reason to believe” showed just how cliche that term is in data breach notification letters, returning over 15% of all primary sources.

Querying for “former employee” gives us a glimpse into fraud committed after employment.

Querying for “password protected” shows how common that is used as a “don’t worry” clause in breach notification letters.

Querying for “windows” yielded a few primary sources describing Windows servers that had been breached, but few.

Querying for “database” was also somewhat interesting.

There are likely hundreds of other interesting combinations. The above are just the ones we thought up. Experiment on your own, and if you find anything good let us know.

Data Breach Notification Letters

Many of our “regular” readers are keenly familiar with data breach notification letters. They’ve seen the Primary Sources Archive, or have been unfortunate enough to have the honor of receiving one, or potentially worse, have the unfortunate honor of drafting one. Many, however, have not.Nearly every state in the United States has adopted data breach legislation, and new adoptee-states continue to trickle in each year. Several federal legislative efforts are under way to blanket the nation, and one has even passed pertaining to medical data breaches. Internationally, the issue is also progressing.

Some states, like Massachusetts and Nevada have passed laws, or are in the process of considering legislation governing the implementation of practices to protect personally identifiable information. These requirements are bringing the issue to the people, forcing businesses small and large a-like to consider their security practices, from document disposal and retention periods, to data encryption and fraud prevention. While the effectiveness of these new laws is debatable, there is no question that the laws are forcing the issue to be considered, and that isn’t necessarily a bad thing.

This is where the Primary Sources Archive can really help business of all sizes. We have samples of thousands of data breach notification letters, issued from companies big and small to various states in compliance with law. Wondering how a breach letter should look when sent to Massachusetts? We have hundreds of samples for you — real world examples. Wondering how you should fill out the New York or North Carolina data breach notification forms? We have almost a thousand of those combined. Wondering what type of incidents people are notifying on in Maine? Peruse our collection! You can even find law firms that have specialty in data breach notifications, just by browsing through and seeing what firms are doing work from what companies.

The Primary Sources Archive really is an under-tapped resource for businesses of all sizes, be it the compliance department, the legal counsel, or the small business owner. We’d like to encourage any readers to forward links to the Archive off to their privacy officers, or counsel. You’d be amazed at how useful they may find it.