I'm all for statistics as much as the next security person.  When I'm talking to clients, I try to quote useful statistics to help them make business decisions, not to scare them into purchasing things.  But I digress...

Bankinfosecurity.com published an interesting timeline (flash) that suppossedly tracks the breaches to US financial institutions so far in 2010. As you mouseover the timeline and categories, summaries on each breach or classification of breach will appear. It's nicely done, from a graphic design point of view.

But are we expected to believe there's only been 41 breaches this year? Only 1.7 systems were breached a week across all US financial systems? Wow, infosec teams have gotten damn good! Or have they?

The Bankinfosecurity timeline is based off the Identify Theft Resource Center's Breach Report for the First Half of 2010. ITRC seems like a decent organization, but they're reporting off breaches that were in the media or had press releases. As one digs into the data, you'll notice alot of the events actually happened in previous years, and are just now getting reported. Presuming the level stays constant, that might be acceptable, based on breaches in 2010 will get reported in later years.

But the final thing which made me doubt this data: 25% of the 41 breaches reported happened in the first week of March, which just happens to be when RSA 2010 occurred. 

Did infosec teams take that week off for the conference, or PR teams worked overtime?