Security Experts:

Government Breaches Exposed 94 Million Records Over Three Years

Analyzing data collected and categorized by the Privacy Rights Clearinghouse, researchers at Rapid7 crunched the numbers and determined that over the last three years, more than 94 million records containing personally identifiable information (PII) were exposed due to data breaches in the government sector.

“Government agencies are facing an increase in data breaches as a result of cyber attacks, weaknesses in federal information security controls, and poor best practices for protecting data on portable devices,” Rapid7’s report on the data concludes.

The data examined by Rapid7 comes from breaches that occurred from January 1, 2009 to May of this year. In all, 268 breaches led to the loss of 94,304,173 records that contained PII. However, the breakdown of the data is what makes the report interesting.

More than 80 million records were exposed due to incidents involving lost, discarded, or stolen portable devices – such as laptops, PDAs, USB keys, smartphones, CDs, hard drives, or data tapes. Unintended disclosure, where PII was posted publicly online, mishandled, or delivered to an unauthorized party by accident, resulted in the exposure of more than 11 million records.

Yet, incidents involving hacking with malware, spyware, or some other type of malicious application, resulted in just over a million records lost. Coincidently, in the data set representing 2012, government agencies reported more hacking incidents than any other type of incident.

Government Data Breaches

When it comes to location, California reported the most incidents, followed by Washington D.C. and Texas. During the time frame analyzed, 2010 had the highest number of incidents (102), followed by 2011 (82) and 2009 (53). There were 31 cases reported between January 1, 2012 and May 31, 2012.

While the number of incidents has gone up and down over the years, the number of PII records exposed each year consistently went up, Marcus Carey, security researcher at Rapid7, told SecurityWeek.

"Our analysis puts a spotlight on the need for improved security operations and testing. It also analyzes specific threats that government entities are facing, because knowing these threats is key to be able to reduce risk,” commented Carey.

It's more than likely there have been more than 268 incidents since 2009 but they haven't been reported. One important thing to keep in mind while looking at these numbers is that the federal government is not subject to the same data breach notification rules as private sector companies, Carey said. While the patchwork of notification laws requires companies to disclose when customer records are exposed, that isn't necessarily the case for the government sector.

There's less information from the Department of Defense and the military, for example, Carey noted.

In the first five months of the 2012, the number of breached records have already doubled, hitting 138 percent, compared to 2011, Carey said. This confirms a recent trend Verizon uncovered in its own data breach report earlier this year, where even though number of actual incidents may have gone down, the number of breached records was on the rise.

The full report is available here in PDF format. 

Additional reporting by Fahmida Y. Rashid

Steve Ragan is a security reporter and contributor for SecurityWeek. Prior to joining the journalism world in 2005, he spent 15 years as a freelance IT contractor focused on endpoint security and security training.