, SecurityFocus 2006-12-12
Story continued from Page 1
The Privacy Rights Clearinghouse maintains a list of major data breaches publicly disclosed since February 2005. To date, nearly 100 million records have been put at--albeit uncertain--risk by data breaches, lost laptops and missing backup tapes, according the organization.
The overwhelming majority of those data breaches will not result in fraud, according to analyst firm Javelin Strategy & Research, which surveys the victims of identity fraud annually.
In an analysis released in August, the firm found that only 6 percent of all identity fraud--defined as someone using the victim's accounts or creating new accounts in the victim's name--where the source could be identified resulted from a breach. Looked at another way, only 0.8 percent of those alerted of a breach actually became the victim's of fraud, said Bruce Cundiff, senior analyst with Javelin Strategy & Research.
"The vast majority of victims of data breaches do not automatically become the victims of data fraud," Cundiff said. "The number you hear is 800,000, so you immediately think that 800,000 will become the victims of identity fraud. From the data we have gathered, that simply is not true."
It also depends on the exact details of the breach, he said. The thieves who stole the laptop from an employee of the U.S. Department of Veterans Affairs, for example, allegedly did not know, or care, about the data on the system, making it less likely that the data will be used for fraud. In another university breach, a flaw in the admissions database at the University of Southern California caused that school to notify nearly 280,000 students after a security researcher breached the school's Web application to demonstrate a vulnerability. The researcher, Eric McCarty, agreed to plead guilty to accessing the system--in total, seven records--without authorization and will be sentenced to three years of probation with a condition of 6 months of home detention, if the judge agrees to the terms. (corrected)
In the latest breach case, representatives of the University of California, Los Angeles stressed that the school is using an "abundance of caution" in warning people.
"UCLA is notifying all of those individuals in the database, even though a continuing investigation indicates that the computer trespasser sought and obtained only some of the information," the university said in a notice on its site. "There is no evidence to suggest that personal information has been misused."
The university also sent its warning letter to more than 3,000 staff and faculty of the University of California, Merced, as well as current or former employees of the University of California Office of the President. UCLA does administrative processing for the two offices.
CORRECTION: The article mistakenly referred to the the McCarty case as complete. While McCarty and prosecutors have come to a plea agreement, the judge has yet to rule on the agreement.