Looking at Attrition.org's current news, perhaps the news of DLDOS's demise might be premature after all.
They have another news item, dataloss: A new beginning. saying they will be continuing DLDOS <SYN>. (By the way, I looked at the "partner" site mentioned in the last paragraph and see it's a ripping, somewhat risqué spoof.) As I am writing this post, I see that the current version of DLDOS database was updated Sunday 13 April 2008. Ctrl-Z my "Bummer" comment above.
Another good resource for data loss incidents is the Privacy Rights Clearinghouse's Chronology of Data Breaches.
J.D. Abolins
- Mood:
calm
A couple of years ago, I had posted on my former blog about ID Analytics survey of data breaches. They had studied four data breaches involving over half a million consumer identities and examined the scope of exploitation of the stolen data.
ID Analytics found that relatively few of the people whose identity data was stolen in data breach had the data exploited for financial fraud. The report is no longer online but copies can be found at archive.org. Although four data breaches is a rather small sample size, I found the ID Analytics report to be a good hint that stolen identity data imight not be actually exploited extensively.
Matthew Elvey commented on my posting and raised an interesting point:
Umm... when TD Ameritrade's customer database was breached, it appears that approximately all of the customers had their data abused. Exception to the rule? If so, it's a pretty big one - about 6.2 million exceptions big.
This 2007 incident, indeed, raises the question if the 2006 ID Analytics report's claims still hold. I was wondering aboiut the scope of the data exploitation.
I checked the Privacy Rights Clearinghouse's useful chronology of US data breaches. The big TD Ameritrade breach is listed under 15 September 2006. (They had a couple of smaller earlier data breaches also listed.) Yes, 6.3 million customers did have their contact information --- names, e-mail addresses, phone numbers & home addresses --- stolen. The PRC chronology entry notes that company customers afterwards received spam, a likely exploitation of the stolen email addresses.
TD Ameritrade's site carries a "Special Client Announcement" about the incident and the spam. TD Ameritrade claims, "At no time were clients' financial assets held at TD AMERITRADE touched as a result of this issue. UserIDs and passwords were not stored in this particular database." The announcement also mentioned that TD Ameritrade hired ID Analytics to monitor the affected customers' credit following the breach.
Looking further, I am seeing that the spam was "pump & dump" scam spam. According to an 18 September 2007 Security Focus article, the exposure of TD Ameritrade customers' email addresses to spammers may have been going on for a while before the big data breach. The article also mentions Mr. Elvey's experiences with the "pump & dump" spams. Now, I understand his comments a bit better.
So far, it doesn't look like financial exploitation of the stolen data in the form of stealing money from the customers' accounts or establishing fraudulent accounts in their names. Yes, the scam spams are abusive but they were not the form of exploitation ID Analytics was considering in its report.
Significant financial exploitation of stolen customer data may have occurred in a 2006 data breach involving TD Ameritrade Holding Corp. and E-Trade Financial Corp.
So far, I believe the ID Analytics reports' claim of low risks for actual financial exploitation (which takes more time and effort than spamming) still holds. But I am glad Mr. Elvey made his comment questioning the report. Things can change and current security notions need to periodically re-examined.
Finally, an excellent blog concerning fraud is the "Fraud, Phishing, and Financial Misdeeds" blog.
Still looking to fully exploit my own identity,
J.D. Abolins
- Mood:
chipper
![[info]](http://l-stat.livejournal.com/img/userinfo.gif){kind=small}
