FUD and Exaggeration from the WaPo on Minor Security Breach

A new article in the Washington Post entitled "Justice Breyer Is Among Victims in Data Breach Caused by File Sharing" talks about how some idiot accidentally shared 2000 social security numbers of a lawfirm's high-profile clients. The article irks me for a couple reasons.

First, the leak is really quite small and insignificant, but the article blows it up like it's a huge thing. Sharing 2000 social security numbers of rich dudes is bad. But it's nothing compared to thousnds of hacked ATMs stealing card numbers *with PINs*, and sending them to a Russian hacker who has been draining bank accounts and has stolen at least $5 million *so far*, and hasn't yet been stopped. A little context please? (And the context provided in the article comparing it to a few other insignificant leaks isn't exactly helpful.)

But what bothers me even more is this completely false statement:

Robert Boback, chief executive of Tiversa, the company hired by Wagner to help contain the data breach, said such breaches are hardly rare. About 40 to 60 percent of all data leaks take place outside of a company's secured network, usually as a result of employees or contractors installing file-sharing software on company computers.
First, I don't even know what that means: how can it both be "outside a company's secured network" and "on company computers"? Or does "secured network" mean "the subset of the network that happens to not leak yet"? (Or does "network" mean "the office internet connection", without including the computers that connect to it?)

Regardless, it claims 40-60% of "all data leaks" are "usually as a result of ... file-sharing software". Where does that data come from? The only really exhaustive study I know on the subject was the Verizon one, and it came to a completely different conclusion:

Specifically, the words "p2p" and "file-sharing" and "limewire" don't appear anywhere in it. Furthermore, it says only 18% of leaks are due to insiders, and of those, only 3% were "inadvertent disclosure" (which I think would include accidentally sharing something on Limewire).

The upshot is the Verizon study suggests the exact opposite as this article: rather accidental file sharing being a significant source of leakage, it accounts for at maybe 0.54% of leaks.

So... what's up with the anti-P2P FUD?

1 comment:

Rafal Los said...

Interesting points - but... the main idea of the Washington Post article was that it was very high-profile folks who got their identities exposed to the greater Internet. I do agree that the dufus from the "investigating company" makes some rather outrageous claims like the fact that the information was downloaded so many times, and that 40%-60% of confidential information is stolen via P2P... that's an aboslutely idiotic statement with zero basis or grounding... What hurts more is that they don't even bother dropping in a fact or two about how this information was "gathered".

Good write-up.

- Jan 2014 (1) - Mar 2012 (1) - Nov 2011 (1) - Oct 2011 (1) - Apr 2011 (1) - Mar 2011 (3) - Feb 2011 (2) - Jan 2011 (9) - Nov 2010 (1) - May 2010 (1) - Mar 2010 (1) - Feb 2010 (1) - Jan 2010 (1) - Dec 2009 (1) - Nov 2009 (1) - Oct 2009 (1) - Sep 2009 (1) - Aug 2009 (2) - Jul 2009 (1) - Jun 2009 (4) - May 2009 (3) - Apr 2009 (3) - Mar 2009 (10) - Feb 2009 (5) - Jan 2009 (3) - Dec 2008 (5) - Nov 2008 (5) - Oct 2008 (5) - Sep 2008 (4) - Aug 2008 (5) - Jul 2008 (11) - Jun 2008 (8) - Feb 2008 (1) - Aug 2007 (1) -