Never Trust the First Number Announced in a Data Breach

wk1003mike/Shutterstock.com

When a company or government agency suffers a data breach, the number of records they say were lost are often preliminary estimates, whether they say so or not.

Last week, T-Mobile revealed that hackers had stolen records for “approximately” 15 million of its customers. How approximate? If history is any guide, very approximate.

When a company or government agency suffers a data breach, the number of records they say were lost are often preliminary estimates, whether they say so or not. Typically, the investigation has only just begun. So they announce a number and go back to investigating, digging into the voluminous activity logs in their security systems.

As a result, large data breaches tend to grow even larger over time. Target, for instance, initially revealed that 40 million payment cards had been stolen from the retailer, but also said it was still conducting a “thorough investigation.” That foreshadowed its later announcement that 70 million additional records had been compromised.

Consider that most of these large organizations with sensitive records are drowning in alerts from sophisticated security systems that bleep and bloop all day, every day. Separating the important bleeps from the meaningless bloops is increasingly difficult. That’s one reason why nearly half of all network intrusions take months to discover, according to a Verizon report, and those discoveries are usually made by law enforcement, not the organizations themselves.

Data forensics is difficult work. “Attacks can take so much data for so long a period of time, it’s nearly impossible to know how much was lost,” said Salvatore Stolfo, head of the intrusion detection lab at Columbia University.

Organizations sometimes are forced to estimate the scale of attacks based simply on the total number of records in compromised databases and servers. Another way to measure the breach’s scope, according to Stolfo, is to find the stolen data posted online. In the case of Adobe’s 2013 data breach, 3 million compromised accounts quickly turned into 38 million; then experts found an online dump that appeared to be the Adobe data, and it included 150 million records.

Organizations that have been hacked usually signal that the size of the breach is likely to grow larger.

Adobe’s first statement said, “Our investigation currently indicates…”

Home Depot initially said, “The company’s ongoing investigation has determined…”

When hackers first revealed that American tax returns had been stolen earlier this year, the US Internal Revenue Service said, “The matter is under review.” The number of affected taxpayers later tripled in size.

Likewise, when the US Office of Personnel Management lost the records of millions of government employees, it first said, “Since the investigation is on-going, additional PII exposures may come to light,” referring to personally identifiable information. The number grew from 4 million to nearly 26 million in about a month.

T-Mobile is currently in the post-announcement investigation stage, checking out a particular bleep, searching through logs and records. Experian, the record-keeping vendor that lost T-Mobile’s data, has been here before. Last year, one of its subsidiaries, Court Ventures, lost 200 million records in a peculiar breach where the culprit was actually a paying customer.

T-Mobile CEO John Legere released a statement after the incident saying he’s “incredibly angry” with Experian and that T-Mobile will “institute a thorough review of our relationship” with the vendor.

His statement also said, “The investigation is ongoing.”

(Image via wk1003mike/Shutterstock.com)