Government agencies collect and store a vast amount of personal information about us. It’s the sort of information – Social Security numbers, bank account numbers and medical records – identity thieves use to do their dirty work. So you’d assume everything possible is being done to keep this sensitive information out of the wrong hands. You’d be wrong.
A recent analysis of data breaches in the government sector by the security firm Rapid7 found “a steady increase in the number of records exposed” during the last three years.
From January 1, 2009 to May 31, 2012 there were 268 reported breaches at government agencies that exposed more than 94 million records containing personally identifiable information. The Rapid7 report concludes that these breaches resulted from cyber-attacks, weaknesses in federal information security controls, and not protecting data on portable devices.
“It’s pretty staggering. I don’t know whether to be surprised or depressed about it,” said Marcus Carey, a Rapid7 security researcher who worked on the report. “It’s a problem we all should be concerned about.”
Rapid7 analyzed data gathered by the Privacy Rights Clearinghouse (PRC), a non-profit advocacy group in San Diego. Their Chronology of Data Breaches shows two large federal agencies – Health and Human Services and Veterans Affairs – have each experienced a high number of breaches.
“Both of those agencies have information that can lead to financial identity theft and medical identity theft,” noted Paul Stephens, PRC’s director of policy and advocacy. “They’re simply not putting enough resources into beefing up their information technology structure.”
Something has to change
Adam Levin, chairman and cofounder of Credit.com and Identity Theft 911 criticizes state and federal government agencies for being “extremely careless” with the personal information they collect.
“An enormous percentage of these breached files happened because of stupidity and negligence,” he told me. “It wasn’t because some genius hacked into a system. It was people leaving laptops in the back of cars, posting information on the wrong website, sending unencrypted information to the wrong people.”
Levin is frustrated that protocols are not in place to prevent these security lapses.
“The sad truth is that our own government’s security policies – or lack thereof – have put us all at risk,” he wrote in a recent blog. Levin called for firing high-level bureaucrats who fail to improve their computer security safeguards.
“Depending on the level of negligence, it’s not unreasonable that the bureaucrat should stand trial; if they are convicted of negligence and enabling fraud, they should arguably go to jail,” he wrote.
A former insider says things are improving
Howard Schmidt is an internationally-recognized security expert. He recently stepped down as the White House Cyber Security Coordinator. Schmidt insists the federal government is serious about protecting the data it collects.
Schmidt pointed out that the total number of breaches in the U.S. (both private and government) covered by the Rapid7 analysis was 564-million records. The government portion of that 94-million, less than 20 percent.
“Clearly, too many files have been lost,” he said. “But we have taken very strong measures to reduce the likelihood of a breach happening and put processes in place so that if a breach does occur we have a way to notify those affected by it.”
Schmidt explained that the Department of Homeland Security now has the responsibility to work with all federal departments and agencies to make sure they have the right level of cyber-security expertise and comply with security programs in place to protect their data.
Just the tip of the iceberg
There’s little doubt that the amount of personal information reported stolen from government computers does not begin to represent the true extent of the problem.
“I think it’s a lot worse. The actual compromises are probably way higher than what they are actually reporting,” said Rapid7’s Marcus Carey. “I don’t think some government agencies even know when they’re breached.”
Carey, who worked as a security analyst at the National Security Agency, told me he worries that the problem will get worse as more data moves to mobile devices. He said information is going onto smart phones and tablet computers, and even though a lot of these devices have countermeasures such as encryption, they’re far from secure.
“If you can’t control the device, you can’t control the data,” he said.
The bottom line
Clearly hackers are getting better at breaking and entering into computer systems of all types. But far too many government breaches are cause by careless and negligence.
Pam Dixon, executive director at the World Privacy Forum, believes an attitude change is required to tackle this growing problem.
“We have to get to a point where we do not accept negligence or inattention to data breaches in our government,” she said. “We need people who are really on the ball and take this very seriously.”
More Information: Data Breaches: Know Your Rights
Herb Weisbaum is The ConsumerMan. Follow him on Facebook or visit The ConsumerMan website.
More business news: