An interesting read over at Dark Reading highlights the fact that when it comes to data breaches, we really don’t know the half of it. Kelly Jackson Higgins reports that most organizations hit by data breaches that do not require public disclosure do not call law enforcement. The reasons vary but, far and away, the most common reason for this secrecy is fear of public disclosure of the identity of the breaching organization.

There’s little to no trust that the FBI, DHS, or any other agency or entity will successfully safeguard the name of the company that experienced a breach, and the fear is that the result will be a public relations nightmare–just like there would be if the breach did require public disclosure. Additionally, many companies do not believe they really have anything to gain by reporting. They view the likelihood of receiving any useful information in return, to be used in solving the case, catching a perpetrator, or otherwise mending the breach damage, to be quite low.

One side effect discussed, however, is the significant advantage that this habit gives the thieves. A crucial tool in law enforcement and investigations of breaches is collaboration–correlation of the data across multiple events. That’s how the bad guys are typically tracked down.

But when nobody’s reporting, there’s nothing to coordinate. There’s no breach event data to correlate. And the bad guys keep on…being bad.

Furthermore, this reminds us that when we talk about the severity of theft, its frequency, and the damage, we really don’t know the half of it–it’s worse than you (we) think, most likely.