Data Breach Summer Reading

In case you haven't heard about them, I thought I'd mention a collection of data breach reports that came out this week. Looking for something to bring to the beach? Here are some great options:

My favorite is from Verizon (specifically, the services group that was formerly Cybertrust). This report combs through the wreakage of more than 500 breach investigations that they've done over the past couple years.

It is chock-a-block was fascinating data. If you're a security professional looking for information to educate senior management about why what you do is important, this report will do the trick. As an industry, we spend a lot of time on the latest threats and countermeasures - and we should to a point.

This report demonstrates, however, that most breaches aren't that sophisticated and happen over weeks and months (not days). They could be prevented with basic vulnerability management and monitoring techniques.

Debix (an identity theft protection service) released their May 2008 Identity Theft Study. It examines consumer willingness to help prevent new account fraud. If you're a security pro for a B2C organization, there's some great data in here for you.

The Identity Theft Resource Center (ITRC) published its 5th Annual Aftermath Study. This report is particularly interesting as it examines identity theft from the perspective of victims.

There is lots of fascinating data in this report, including: costs to the victim, costs to business, and time to repair the damage.

Finally, the U.S. Department of Justice released "Data Breaches: What The Underground World of "Carding" Reveals." The report examines the linkage between data breaches and credit card fraud. If you're a retailer or in the payments industry this data may not be new to you, but this report pulls it all together.

These reports were picked up pretty broadly, but I learned about them at some of my favorite security blogs: Emergent Chaos, Rational Survivability, and Securosis.

Application Security, Inc. ( provides database security solutions for the enterprise and was named to Inc. Magazine’s 2007 list of America’s Fastest Growing Private Companies (Inc. 500). Its products proactively secure databases and delivers up-to-date database protection that minimizes risk for companies.