Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Government Breaches Exposed 94 Million Records Over Three Years

Analyzing data collected and categorized by the Privacy Rights Clearinghouse, researchers at Rapid7 crunched the numbers and determined that over the last three years, more than 94 million records containing personally identifiable information (PII) were exposed due to data breaches in the government sector.

Analyzing data collected and categorized by the Privacy Rights Clearinghouse, researchers at Rapid7 crunched the numbers and determined that over the last three years, more than 94 million records containing personally identifiable information (PII) were exposed due to data breaches in the government sector.

“Government agencies are facing an increase in data breaches as a result of cyber attacks, weaknesses in federal information security controls, and poor best practices for protecting data on portable devices,” Rapid7’s report on the data concludes.

The data examined by Rapid7 comes from breaches that occurred from January 1, 2009 to May of this year. In all, 268 breaches led to the loss of 94,304,173 records that contained PII. However, the breakdown of the data is what makes the report interesting.

More than 80 million records were exposed due to incidents involving lost, discarded, or stolen portable devices – such as laptops, PDAs, USB keys, smartphones, CDs, hard drives, or data tapes. Unintended disclosure, where PII was posted publicly online, mishandled, or delivered to an unauthorized party by accident, resulted in the exposure of more than 11 million records.

Yet, incidents involving hacking with malware, spyware, or some other type of malicious application, resulted in just over a million records lost. Coincidently, in the data set representing 2012, government agencies reported more hacking incidents than any other type of incident.

Government Data Breaches

When it comes to location, California reported the most incidents, followed by Washington D.C. and Texas. During the time frame analyzed, 2010 had the highest number of incidents (102), followed by 2011 (82) and 2009 (53). There were 31 cases reported between January 1, 2012 and May 31, 2012.

While the number of incidents has gone up and down over the years, the number of PII records exposed each year consistently went up, Marcus Carey, security researcher at Rapid7, told SecurityWeek.

“Our analysis puts a spotlight on the need for improved security operations and testing. It also analyzes specific threats that government entities are facing, because knowing these threats is key to be able to reduce risk,” commented Carey.

It’s more than likely there have been more than 268 incidents since 2009 but they haven’t been reported. One important thing to keep in mind while looking at these numbers is that the federal government is not subject to the same data breach notification rules as private sector companies, Carey said. While the patchwork of notification laws requires companies to disclose when customer records are exposed, that isn’t necessarily the case for the government sector.

There’s less information from the Department of Defense and the military, for example, Carey noted.

In the first five months of the 2012, the number of breached records have already doubled, hitting 138 percent, compared to 2011, Carey said. This confirms a recent trend Verizon uncovered in its own data breach report earlier this year, where even though number of actual incidents may have gone down, the number of breached records was on the rise.

The full report is available here in PDF format. 

Additional reporting by Fahmida Y. Rashid

Written By

Click to comment

Expert Insights

Related Content

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Cybercrime

A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Cybercrime

Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.