FUD and Exaggeration from the WaPo on Minor Security Breach

July 9, 2008

A new article in the Washington Post entitled “Justice Breyer Is Among Victims in Data Breach Caused by File Sharing” talks about how some idiot accidentally shared 2000 social security numbers of a lawfirm’s high-profile clients. The article irks me for a couple reasons.

First, the leak is really quite small and insignificant, but the article blows it up like it’s a huge thing. Sharing 2000 social security numbers of rich dudes is bad. But it’s nothing compared to thousnds of hacked ATMs stealing card numbers *with PINs*, and sending them to a Russian hacker who has been draining bank accounts and has stolen at least $5 million *so far*, and hasn’t yet been stopped. A little context please? (And the context provided in the article comparing it to a few other insignificant leaks isn’t exactly helpful.)

But what bothers me even more is this completely false statement:

Robert Boback, chief executive of Tiversa, the company hired by Wagner to help contain the data breach, said such breaches are hardly rare. About 40 to 60 percent of all data leaks take place outside of a company’s secured network, usually as a result of employees or contractors installing file-sharing software on company computers.

First, I don’t even know what that means: how can it both be “outside a company’s secured network” and “on company computers”? Or does “secured network” mean “the subset of the network that happens to not leak yet”? (Or does “network” mean “the office internet connection”, without including the computers that connect to it?)

Regardless, it claims 40-60% of “all data leaks” are “usually as a result of … file-sharing software”. Where does that data come from? The only really exhaustive study I know on the subject was the Verizon one, and it came to a completely different conclusion:

Specifically, the words “p2p” and “file-sharing” and “limewire” don’t appear anywhere in it. Furthermore, it says only 18% of leaks are due to insiders, and of those, only 3% were “inadvertent disclosure” (which I think would include accidentally sharing something on Limewire).

The upshot is the Verizon study suggests the exact opposite as this article: rather accidental file sharing being a significant source of leakage, it accounts for at maybe 0.54% of leaks.

So… what’s up with the anti-P2P FUD?


One Response to “FUD and Exaggeration from the WaPo on Minor Security Breach”

  1. Rafal Says:

    Interesting points – but… the main idea of the Washington Post article was that it was very high-profile folks who got their identities exposed to the greater Internet. I do agree that the dufus from the “investigating company” makes some rather outrageous claims like the fact that the information was downloaded so many times, and that 40%-60% of confidential information is stolen via P2P… that’s an aboslutely idiotic statement with zero basis or grounding… What hurts more is that they don’t even bother dropping in a fact or two about how this information was “gathered”.Good write-up.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: