Report: Government Exposed 94 Million Personal Records Over 3 Years


Rapid7, a Boston-based security vendor, has issued a document stating that the government sector has reported 268 individual data breaches from Jan. 1, 2009, to May 31, 2012, exposing more than 94 million records containing personally identifiable information (PII).

The data reveals a 50 percent increase in the number of compromises affecting the government sector from 2009 to 2010, as well as a major spike in the number of records exposed each year, with the number increasing by 169 percent from 2010 to 2011.

Meanwhile, incremental numbers from 2012 suggested this year will likely double the numbers from 2011. Some of these losses are believed to be related to incidents of hacking, although often times unintended disclosure, the loss or theft of portable devices and physical loss contribute to a number of breaches, as well. In prior years, accidental exposure outnumbered the losses due to hacking and similar malfeasance.

[Related: When IT Security Goes Awry, Whose Head Will Roll?]

Of the 94 million exposed records, nearly 81 million were exposed due to loss, theft or discarding of portable devices. Unintended disclosure was listed as the cause in 11.7 million cases, and hacking was determined to be the source of the issue in 1.1 million instances.

"We are seeing an increase in the number of people who are actually trying to break into systems," confirmed Marcus Carey, security researcher at Rapid7. "Hacktivism plays a big part in this and is becoming a lot more prevalent. In these cases, the government is definitely a lot more targeted than enterprise. Things like WikiLeaks, and similar websites, have really stoked the fire, because people see this information, get outraged and decide to act, sometimes in illegal or unethical ways."

At the federal level, agencies related to veterans reported 14 incidents, including multiple incidents with the U.S. Department of Veteran Affairs. The Department of Defense did not report any losses at all. However it is entirely possible that the DoD's absence of reports is more closely related to the department's disclosure policy.

At the state level, California, with 21 breaches, District of Columbia, with 20 breaches, and Texas, with 16 breaches, reported the largest number of incidents, whereas Kentucky, Montana, Nevada, North Dakota and South Dakota each reported no data breach incidents during the analyzed time frame.

Alaska, Delaware, Idaho, New Hampshire, Rhode Island and West Virginia reported one incident each, with a combined total of fewer than 75,000 exposed records.

"I like reports like these, because they help you understand what is really going on out there," said Carey. "It shows you what the real threats are, where we are doing well, and where we need to tighten things up."

The Rapid7 report is based on a compilation of data from a number of different sources, including the Ponemon Institute and several of the government agencies, themselves.

PUBLISHED SEPT. 7, 2012