

IRS Breach Bigger Than First Thought Total Victims Reach 334K - Cocombo
http://bigstory.ap.org/article/bb4d7fb75d2b4f1c85574691e1641e0f/irs-says-thieves-stole-tax-info-additional-220000

======
Cocombo
Who would of thought the IRS's initial estimate would be inaccurate?

~~~
dredmorbius
Someone has suggested a Rule of Data Breaches: they're always bigger than
first reported.

Brief DDG search didn't turn up a reference.... Hrm, not on G+ either. But
someone _other_ than me deserves credit.

------
dredmorbius
I've been saying for a while [1] that data is liability -- this is a bit of a
set piece I think I'll keep dragging out as new breaches are reported....

Or as Cory Doctorow puts it, personal electronic data is the nuclear waste of
the information age.

[http://www.theguardian.com/technology/2008/jan/15/data.secur...](http://www.theguardian.com/technology/2008/jan/15/data.security)

I've also been increasingly coming of the opinion that, while concerns for
oppression of the unprivileged and general population are my principle
interest, it's actually the establishment: governments, business, banks, etc.,
who are more vulnerable, if only because they have greater secrets,
historically greater control over them, and, in breached security, greater
vulnerability to either attack or manipulation.

An exceptionally peculiar aspect of digital data is that, while it may remain
in the boxes and cages provided for it, it's got a notable tendency to find
itself liberated. Often without warning, and not detected for days, weeks,
months, or longer, afterward (as in this case). In the real world we've got
friction, especially associated with data processing and transfer. In digital
form, far less so. Sometimes friction is good.

I'm still backlogged wanting to write about last year's Nude Celebrity Phone
hacking. Dan Kaminsky, fortunately, has written virtually everything I could
say on the topic and then some:

"Not Safe For Not Working On" [http://dankaminsky.com/2014/09/03/not-safe-for-
not-working-o...](http://dankaminsky.com/2014/09/03/not-safe-for-not-working-
on)

In particular:

Victim shaming is par for the course in Infosec More the case for the celeb
scandal than this one.

You Don’t Necessarily Know When You’ve Been Hit, Let Alone What’s Gone A
hugely underappreciated aspect. Paul Vixie's had some similar comments along
these lines.

It’s time we start outright blocking passwords common enough that they can be
online brute forced, and it’s time we admit we know what they are. A fight
I've attempted (and lost) at far too many organizations.

And this:

There’s an old Soviet saying:

If you think it, don’t say it. If you say it, don’t write it. If you write it,
don’t be surprised.

(I discussed Kaminsky's piece earlier here:
[https://plus.google.com/u/0/104092656004159577193/posts/HBvk...](https://plus.google.com/u/0/104092656004159577193/posts/HBvkRxxqL7a))

Until attitudes change, and the question "what is the risk if this leaks" is
asked for every piece of data collected, we'll continue to see more of these
stories. The irony in this case is that SF-86 background checks -- the basic
questionnaire for national security positions, is what's thought to have
leaked. Or as I observed yesterday on Hacker News, ultimately, countermeasures
risk becoming attack surfaces. Indira Gandhi, prime minister of India, was
assassinated by two of her own bodyguards.[2,3]

That means, though:

Pervasive encryption-at-rest.

Data provenance. Transmission and sharing only with authentication.

Strict data retention policies. Destruction of data past a specific age.

Massive penalties for both disclosure and acting on fraudulent identification
credentials. The latter won't do much for the OPM breach, but if personal data
simply aren't financially useful, interest in them will dry up markedly.

_____________________________ Notes:

1\. Sample from a few days back:
[https://plus.google.com/u/0/104092656004159577193/posts/CZqb...](https://plus.google.com/u/0/104092656004159577193/posts/CZqb2eoCSUD)

And June 2014:
[https://plus.google.com/u/0/104092656004159577193/posts/WE8N...](https://plus.google.com/u/0/104092656004159577193/posts/WE8NG8QBTkW)

