Ouch! Security Breaches at Federal Agencies Involving PII Just Keep Mounting Up

The number of security incidents at federal agencies that involve PII is soaring considerably and is more than double in the last four years.


14 April 2014

Ouch! Security Breaches at Federal Agencies involving PII Just Keep Mounting Up

The number of security incidents at federal agencies that involve personally identifiable information (PII) is soaring considerably and is more than double in the last four years.

That's according to both a GAO report and testimony given to the Homeland Security &
Governmental Affairs Committee of the US Senate by the US Government Accountability Office (GAO).

In all, there were over 25.5 million reported security incidents involving PII at US agencies in 2013, as compared to 10.4 million in 2009.

Information Security Incidents Involving PII, Fiscal Years 2009 – 2013 - GAO

Don't be fooled by your first look at the graph - those numbers add up to *millions* of separate incidents. As  ZDNet reports, much of the media failed to report the numbers correctly, getting the order of magnitude wrong by not reading the key carefully enough. The number of government security incidents involving PII numbered in the millions and not in the thousands.

Data breaches at federal government agencies are a serious concern, of course, because they can involve large swathes of information about the public - including taxpayer and social security details, as well as healthcare data.

It is clear from the publicly released data that US government agencies continue to face significant challenges in effectively securing PII. Threats such as malware, hacking, social engineering and suspicious network activity all play their part, just as something as simple as a computer with unsecured information about millions of veterans being stolen from an employee's house.

To illustrate the seriousness of the issue, these reports provide details of past security breaches – including one that occurred in July 2013 and involved hackers stealing PII of 104,000 people from a Department of Energy system. Amongst the data stolen in that attack were social security numbers, dates of birth, bank account numbers and secret answers to security questions. The combined cost of assisting victims and lost productivity - due to federal employees being given leave to correct issues caused by the security breach - were estimated to be more than US $3.7 million.

Although the biggest single category for information security incidents, accounting for some 25% of reports, is what the GAO calls "non-cyber", it is clear that much more needs to be done to protect against attacks that involve computers and the internet.

In summary, the increasing number of cyber incidents at federal agencies, many involving the compromise of PII, highlights the need for focused agency action that ensures the security of the wide array of sensitive personal information collected by the federal government. These actions include establishing comprehensive agency-wide information security programs and consistently and effectively responding to incidents when they occur. As we and inspectors general have long pointed out, federal agencies continue to face challenges in effectively implementing all elements of their information security programs. Likewise, agencies are not consistent or fully effective in responding to data breaches and cyber incidents. Ongoing improvements in these areas are needed to help ensure that PII entrusted to the government by American citizens and other individuals is protected from unauthorized access and misuse. 

I don't think any of us would disagree that regular and consistent improvements need to be made to
prevent future sloppy security breaches of PII.



Graham Cluley

Graham Cluley

Graham Cluley is an award-winning veteran of the anti-virus industry, fighting cybercrime and raising awareness of computer security and privacy issues since the early 1990s. Find out more on his computer security blog or follow him on Twitter.