I start my Top Ten Breaches presentation with data analysis and a review of what gets attention in the news. It does not always map to what I find when I look at the actual breach reporting databases.

Here is an example of what I like to dispel and clarify: Credit Card Hackers Visit Hotels All Too Often

A study released this year by SpiderLabs, a part of the data-security consulting company Trustwave, found that 38 percent of the credit card hacking cases last year involved the hotel industry. The sector was well ahead of the financial services industry (19 percent), retailing (14.2 percent), and restaurants and bars (13 percent).

The first question is what percentage of Trustwave customers are Hotels. Next question is whether payment card breaches are the only subject of the study (versus PII, etc). Then I would want to know, depending on the first two answers, the sample size…and so on.

It is plausible that Trustwave releases this kind of study to drive more business to their Hotel security and breach response team. The full set of data might show educational institutions and government agencies are breached more often, but Trustwave could isolate a data set most relevant to the services they sell (or it may just turn out to be the only data they have). Without reading the report it is hard to say what assumptions were made.

That is why I find the news better for anecdotes about the individual breaches. However, I find it odd in this case that the NYT reporter is quoting from ABC News instead of a primary source:

Last month, Destination Hotels and Resorts, a chain of luxury properties in the United States, notified customers that credit cards “may have been compromised.”

ABC News reported that Destination had been victimized by “an intense database attack that lasted over three months,” and quoted law enforcement authorities saying that losses, which totaled hundreds of thousands of dollars, averaged $2,000 to $3,000 on each of the estimated 700 credit card numbers stolen.