A report out from the Government Accountability Office this week reveals that the Federal government’s number of “information security incidents” wherein Americans’ sensitive personal information was breached has more than doubled in recent years.
GAO reports that, for 2013, there were 25,566 breaches of personally identifiable information (PII) that citizens entrusted to the government. That’s up from 10,481 just four years earlier.
“As you know, in carrying out its responsibilities the Federal government collects large quantities of PII, such as taxpayer data, census data, Social Security information, and patient health information, on American citizens and other residents of our Nation,” Gregory C. Wilshusen, director of information security issues at GAO, said during a Senate hearing on the report. “Consequently, it is critical that Federal agencies take steps to secure the information they collect, retain, and disseminate and that, when events such as data breaches occur, they respond swiftly and appropriately.”
Wilshusen told lawmakers that the government’s efforts to protect Americans’ personal information are “inconsistent” and in need of improvement.
The official said that 25 percent of the 25,566 leaks in 2013 were “non-cyber.” Nineteen percent of the incidents were due to “policy violations” by government officials, 16 percent blamed on “malicious code” and 5 percent were the result of “suspicious network activity,” according to his testimony.
A data breach can be as simple as a Federal entity mailing sensitive documents to the wrong recipient. But the GAO report also outlines several severe leaks, including instances where massive amounts of government-held personal information fell into the wrong hands.
From the report:
- [I]n May 2006, the Department of Veterans Affairs (VA) reported that computer equipment containing PII on about 26.5 million veterans and active duty members of the military was stolen from the home of a VA employee.
- In July 2013, hackers stole a variety of PII on more than 104,000 individuals from a Department of Energy system. Types of data stolen included Social Security numbers, birth dates and locations, bank account numbers and security questions and answers…
- In May 2012, the Federal Retirement Thrift Investment Board (FRTIB) reported a sophisticated cyber attack on the computer of a contractor that provided services to the Thrift Savings Plan. As a result of the attack, PII associated with approximately 123,000 plan participants was accessed. According to FRTIB, the information included 43,587 individuals’ names, addresses, and Social Security numbers, and 79,614 individuals’ Social Security numbers and other PII-related information.
The agency’s report said that not only has the Federal government had trouble keeping Americans’ information secure, but has also failed to implement security controls following breaches on many occasions.
For instance, the report relays:
- only one of seven agencies reviewed had documented both an assigned risk level and how that level was determined for PII data breaches
- only two agencies documented the number of affected individuals for each incident
- only two agencies notified affected individuals for all high-risk breaches
- the seven agencies did not consistently offer credit monitoring to affected individuals
- none of the seven agencies consistently documented lessons learned from their breach responses
The GAO report also gives insight to the preliminary findings of a forthcoming review of cybersecurity at Federal agencies (a large percentage of personal information breaches in this week’s report stemmed from cybersecurity issues).
“While these results are still subject to revision, we estimate, based on a statistical sample of cyber incidents reported in fiscal year 2012, that the 24 major federal agencies did not effectively or consistently demonstrate actions taken in response to a detected cyber incident in about 65 percent of reported incidents,” the GAO reports.
That means that Federal agencies took the proper steps to mitigate leaks of Americans’ personal data due to breaches in cyber networks in only about one third of cases.
Only time will tell what all of this means for the 7 million Americans President Barack Obama claims just forked over troves of personal information—some of whom did so on a glitch-ridden Federal website— to enroll in Obamacare.