State and federal government agencies had relatively few data breaches this year compared to private sector companies. When breaches did occur, they tended to be much smaller in scope compared to the major incidents at Home Depot, JPMorgan Chase, Community Health Systems, and a slew of other companies.
Privacy Rights Clearinghouse, which maintains a database of all publicly reported data breaches since 2005, lists just 27 incidents involving a government entity so far in 2014. That number represents about half the 55 breaches reported by government agencies last year and less than one-third of the 86 breaches reported by agencies in 2012.
About 1.73 million data records containing bank account information or Social Security numbers were compromised in government data breaches this year compared to 500,000 records in 2013, and 16.2 million records in 2012. Many of the breaches listed on Privacy Rights Clearinghouse do not specify the number of data records that were exposed. So the total number of compromised records for each year could be much higher.
[Kill switches alone won't end phone theft. Read FCC: Too Many Phones Still Being Stolen.]
The number of breaches and the total number of records known compromised in government security incidents were significantly less than comparable numbers on the private sector side this year. Retailers and companies in the financial services industry, healthcare, non-profits, and other non-government organizations reported 246 breaches in 2014, exposing a cumulative 65 million records in the process.
Of the government data breaches reported this year, here are four of the most significant ones. (We're treating three separate incidents involving attacks on the White House, US Department of State, and the National Weather Service as one breach because of the similarities and the close timing of the breaches.)
Unknown hackers broke into more than two-dozen servers at the US Postal Service earlier this year, including one containing names, Social Security numbers, birth dates, and other personally identifiable information on about 800,000 workers and 2.9 million customers.
The intrusion might have happened some time early this year but the Postal Service did not discover it until US law enforcement told it in September. Even then, technology staff at the Postal Service working with security experts spent another two months developing a response and mitigation strategy before finally shutting down the threat in late November. The breach, which some have speculated might have been carried out by Chinese hackers, has prompted a large-scale security overhaul at the Postal Service.
A tale of two breaches
Names, birth dates, Social Security numbers, and other personally identifiable information belonging to about 850,000 job seekers in Oregon was exposed after hackers gained illegal access to a database containing the information at the State Employment Department. The names were part of the WorkSource Oregon Management Information System and pertained to individuals looking for jobs at state employment offices, according to The Oregonian.
The department quickly shut down the system after discovering the breach but restored services a short time later. As with many other incidents this year, the Department first learned of the breach through an anonymous tip. In February, a similar intrusion prompted the Oregon Secretary of State's office to temporarily take down several online systems including its Central Business Registry and the state's online campaign finance reporting system.
The China syndrome
Systems at the US Department of State, the National Weather Service, and the White House were hit earlier this year in a series of near back-to-back attacks that prompted some concern over the resilience of federal networks to modern cyber attacks. The attack on the Weather Service affected four websites and caused a temporary disruption in the delivery of satellite data used globally by the aviation industry, shipping companies, and others. Both the State Department and the White House said the attacks only affected non-classified portions of their networks. The White House incident prompted temporary loss of network connectivity and system outages for staff at the executive office. Security researchers described the attacks as appearing to be the work of state-sponsored groups in China.
A network intrusion at the US Investigations Services (USIS) exposed data on background checks conducted on about 25,000 underground investigators and other staff at the US Department of Homeland Security. The data believed to have been accessed in the incident included highly personal information pertaining to criminal histories, drug use, spouses, friends, and relatives of those being investigated. Although USIS is a private company, it is a major contractor to several government departments and agencies including the Departments of Defense, Justice and State, and US intelligence agencies as well. The breach prompted several questions over the inadequate measures used by federal agencies to vet the security preparedness of third-party service providers. USIS described the attack as having all the hallmarks of a state-sponsored incident.
To meet obligations -- and avoid accusations of cover-up and incompetence -- federal agencies must get serious about digitizing records. Get the No Excuse For Missing Documents Tech Digest from InformationWeek Government today. (Free registration required.)