Breach Clarity ranks the risk of stolen or exposed personal data. It's a much needed work in progress. Credit: KTSimage / Getty Images Data breaches are so common that even a theft of a billion records of seriously confidential information barely makes the news. It’s business as usual. Part of the problem is that all the data breaches involving our data become melded together. It seems as if all our personal data is already out there — many times over. So, who cares if it happens once (or ten times) more? We’re numb to yet another attack that includes our personal data. In the beginning we feared every announced data breach. Now we don’t fear any.I’ve previously written about the lack of useful risk management data surrounding most data breaches. Specifically, I didn’t like the lack of pertinent facts around each individual data breach, which doesn’t allow stakeholders to determine how bad the breach really was. For example, if a hospital accidentally leaves behind personal medical information in an old office during a move to new office space, it’s called a data breach and treated by reporting entities and databases as being as serious as a malicious data breach where criminals stole data.The same is true when a website coding error leaves records exposed and a whitehat hacker publicizes it. It’s treated as if malicious hackers have used the vulnerability to pull every record the website has. “A billion records exposed!” scream the headlines, but there is no proof that anyone maliciously pulled a single record. Exposure is a far different risk from actual theft. Unfortunately, the news media often treats them the same.Every data breach is usually treated like a bad data breach even if the true risk is something less. In my earlier article, I suggested a data breach rating system like what is already in place for reported software vulnerabilities. I got a good response, including dozens of security experts who agreed with me. A few respondents even said they were working on exactly what I was asking for. Breach Clarity offers insight to breach riskLast week, one, Jim Van Dyke, CEO of Futurion, showed me his new beta website called Breach Clarity. Van Dyke is a long-time computer technologist and analyst with over 35 years of experience, specializing in fraud and identity management. He has founded several companies, including multiple digital technology-related research firms. He sold his last, Javelin Strategy & Research, and now works full time as an expert witness in in major data breach cases. He was on the Consumer Advisory Board of the U.S. federal Consumer Financial Protection Bureau (CFPB) for three years and has testified to the U.S. House of Representatives. Suffice to say that Van Dyke has some relevant experience in and around data breaches.Breach Clarity allows any visitor to enter the name of a breached company and find out what information was taken and the relative risk of that particular breach, rated on a scale of 1 to 10, with 10 being the highest. The figures below shows two examples, one high risk and the other relatively low risk. Roger Grimes Roger GrimesIt shows you not only the relative ranking score, but what types of information were stolen (e.g., name, credit card or Social Security numbers) and tells you what type of fraud risk that particular type of data leads to. It also gives consumers actions they can take to protect their identity and to prevent fraud. In my testing of the site I found a few small bugs, and I didn’t always agree with the rankings. I’m not even sure what goes into the algorithm that determines the scores. However, I’ve never come across a site that makes it so easy to see what information was taken, field by field, and what the potential risk exposure is. It’s a really good start to a very complex problem.I talked with Van Dyke, and he’s passionate about the subject and has extra personal motivation to help improve the world. That’s a good thing and I’m glad he is working on the problem.Breach Clarity complements HaveIBeenPwndI would love to see a feature where any person could put in their own name and see all the information that has been stolen about them, from what companies and when. That would be a very tough one for anyone to pull off because there is no centralized public (or even private) database that tracks breaches by individual name. That would be the Holy Grail.If I know that my information was breached from such-and-such a company, I can go to Jim’s site and see what information was taken and get a relative risk score. Many times we aren’t aware of data breaches that involve our information. when I went to Troy Hunt’s HaveIBeenPwnd site, I was shocked at how many times my email address was listed as having been compromised. (Note: Hunt is putting his fantastic site up for sale. Kudos to the lucky buyer and thanks, Troy, for giving us a place to find out how many times our individual records were compromised.)What we need is a combination of the Breach Clarity and HaveIBeenPwnd services melded together, along with a publicly known algorithm that shows how the different breach severities were determined. I want to clarify that a truly low risk “breach” such as leaving records behind in an old office is not nearly as risky as when a bad guy takes off with my personal information. The intent of the attacker, if known, needs to be part of the equation.I’m delighted to see progress being made on better risk-ranking of data breaches. These new and evolving services aren’t widespread yet, but they are steps in the right direction. I wish the Van Dykes and Hunts of the world greater success. We need these types of people out there being our advocates. Related content news Top cybersecurity product news of the week New product and service announcements from Coro, Descope, Genetec, Varonis, Cloudbrink, Databarracks, and Security Journey By CSO staff Dec 07, 2023 22 mins Generative AI Generative AI Machine Learning news analysis Attackers breach US government agencies through ColdFusion flaw Both incidents targeted outdated and unpatched ColdFusion servers and exploited a known vulnerability. By Lucian Constantin Dec 06, 2023 5 mins Advanced Persistent Threats Cyberattacks Vulnerabilities news BSIMM 14 finds rapid growth in automated security technology Embrace of a "shift everywhere" philosophy is driving a demand for automated, event-driven software security testing. By John P. Mello Jr. Dec 06, 2023 4 mins Application Security Network Security news Almost 50% of organizations plan to reduce cybersecurity headcounts: Survey While organizations are realizing the need for knowledgeable teams to address unknown threats, they are also looking to reduce their security headcount and infrastructure spending. By Gagandeep Kaur Dec 06, 2023 4 mins IT Jobs Security Practices Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe