Hacks Are Always Worse Than Reported: Nintendo's Breached Accounts Magically Double
from the whoopsie dept
One of these days, we writers at Techdirt will put our collective and enormous heads together, and come up with an actual proposed mathematical formula that should be applied whenever a company first announces a security or account breach, so that the public can calculate what that breach count will eventually end up being. The reason the world needs such a formula is because you can pretty much set your watch when a company announces such a breach that in the following weeks or months it will grow significantly. This happened with Equifax, with TJX, and even with our own vaunted federal government. But if we ever really did want to try to put some kind of formula together for measuring the underplaying of a breach on initial response, the historical breach that would probably brake such an algorithm would have to be Yahoo’s email breach, which, in 2013, was the breach of a few hundred thousand email accounts, but in 2017 magically became all of the accounts. As in, literally all of them.
This severity progression is so routine that it should have a name for easy reference. I propose Geigner’s Effect. I heard somewhere that if you write for this site long enough you get an effect named after you.
The most recent example of, ahem, Geigner’s Effect (actually first proposed on this site by Mike Masnick, but he already has an Effect) is Nintendo, which near the start of the year announced that roughly 160k of its Nintendo Accounts had potentially been breached. In an update this week, Nintendo revised that number to nearly double the original amount.
Today, Nintendo announced another 140,000 or so more accounts may have been accessed. That means a total of around 300,000 accounts may have been breached. Nintendo pointed out in an update today that that’s less than one percent of all Nintendo Network ID users.
While that’s true, it’s also 200% of the amount that Nintendo originally said had been breached. And who knows what that number is going to be in another couple of weeks or months? It could stay the same, or it could be more Yahoo-esque and balloon significantly. Remember again, Yahoo revised its breach numbers on a nearly annual basis until it finally settled on “all the accounts.” The public has no reason to trust companies on these numbers and every reason to dismiss the casual trotting out of seemingly comforting math by some PR goon.
So, we reiterate: when you see a report of a breach, know that it’s always more severe than first reported. Until we have our formula ready for prime time, that’s the best you can do.