Government breaches expose 94 million records over three years
Mismanaged portable devices were a leading cause of government data breaches.
Consumer data privacy has been rising toward the top of government agendas at both federal and local levels in recent months. But while regulators attempt to curb questionable Internet advertising tactics and security teams keep an eye on cybercriminal activity, the real threat may already be inside the gates. According to the latest analysis from Rapid7, government agencies suffered 268 breach incidents between January 2009 and June 2012, exposing more than 94 million records containing personally identifiable information (PII) as a result.
Moving targets
Rapid7 researchers sorted through the incidents included in the Privacy Rights Clearinghouse (PRC) Chronology of Data Breaches to uncover trends relating to the timing, type and location of the events. The highest number of publicly reported incidents came in 2010, nearly doubling the frequency observed in 2009. However, the number of breaches did decline in 2011 and is on pace to do so once again in 2012.
Still, frequency and severity are two distinctly different variables. Although 2009 did not have the highest number of reported incidents, more than 79 million records containing PII were exposed in that year. In 2010, that figure dropped dramatically to 1.5 million only to rise again the following year to more than 4 million compromised records.
What may be most troubling is the sense that a majority of these events were triggered by simple employee negligence. Approximately 81 million records were exposed as a result of loss, theft or careless discarding of portable devices ranging from flash drives to laptops. Unintended disclosures such as information accidentally published on a website or emailed to the wrong party were responsible for nearly 12 million compromised records.
Interestingly enough, hacking or malware incidents were responsible for little more than 1.1 million of the 94 million records exposed to unauthorized viewers. However, the rate of reported cybercriminal activity grew approximately 50 percent year-over-year between 2009 and 2011. And judging by the data security issues observed in the first five months of the year, Rapid 7 analysts suggested that 2012 is on pace to produce twice as many incidents as 2011.
"Government infrastructure has come under attacks from cyber espionage, hacktivism and insider threats," explained Rapid7 security researcher Marcus Carey. "Combine that with a staggering number of cases involving human error and it's clear that the government sector is facing a persistent challenge when it comes to protecting our critical infrastructures, intellectual property, economic data, employee records and other sensitive information."
Addressing the threats
Considering the currently discordant state of data breach notification laws around the country, PRC officials have insisted that their sample likely represents only a portion of the incidents that have actually occurred within government organizations. Nevertheless, the statistics do provide insight into some of the broader trends that may clue security teams into possible solutions.
First and foremost, inconsistent regulation of agency hardware was a clear pain point observed in breach reports. While only one in five incidents involved lost, stolen or improperly discarded portable devices, the exploitation of these high-value assets led to the exposure of 80.7 million records containing PII.
So as agencies begin to expand and refine their mobile device management strategies, maintaining visibility over inventory needs to be the first objective satisfied. Additionally, managers would be wise to enforce strong encryption and establish remote data protection capabilities to mitigate the damage done when devices suddenly go off the radar.
From a broader perspective, the rate of unintended disclosures, physical loss and device mismanagement underscore the pressing need for comprehensive employee education. Considering the speed with which digital workloads are expanding and data security threats are evolving, skill building workshops and comprehension checks will need to be more continuous than sporadic.
Security News from SimplySecurity.com by Trend Micro
Spotlight
Cloud Computing
- US makes large investment in cyber weaponry
- Wall Street has data security concerns over Bloomberg reporting
- Security in backups means more than just encryption
- Employees must buy into the company policy for better cloud security
Virtualization
- Virtualization-specific challenges could threaten data security
- Evolving threats put security skills in high demand
- Virtualization security requires education, access control management
- Tips for launching effective virtual security tools
Internet Safety
- Virtualization-specific challenges could threaten data security
- Evolving threats put security skills in high demand
- Virtualization security requires education, access control management
- Tips for launching effective virtual security tools
Vulnerabilities & Exploits
CTO Insights
First Line of Defense
Newsletter
Stay up to date with the latest news and information on online threats.
Recent News
- Cloud security group develops third-party certification program
- US makes large investment in cyber weaponry
- SEC may ask for more information after cyberattacks
- FBI trying to train financial execs on cyber threats
Tag Cloud
cloud cloud computing cloud computing security Cloud Security Compliance & Regulations Consumerization Current News cybercrime Data Privacy data security Encryption Government Policy Internet Protection Internet Safety Internet Safety - DO NOT USE Internet Security Malware Mobile Security Mobility Policy Policy - DO NOT USE Privacy Privacy & Policy Private Cloud Public Cloud Reports Research Spotlight threat intelligence threat research Trend Labs Underground Economy virtualization Vulnerabilities Vulnerabilities - DO NOT USE web security web threats
Comments
No comments yet