What were the top government data breaches in the USA in 2012 (so far)? It appears that this year will be remembered more for state and local breach headlines than for federal government breaches.
I’m starting off this blog with highlights from one of those “scary headline” articles that government technology leaders want their organizations to avoid. And yet, there is an ominous sense across the nation right now amongst security professionals. Most Chief Information Security Officers (CISOs) understand that there are more breaches to come in 2013. To some extent, the sentiment is: “I could be next.”
A shout-out goes to Rock Rakowski, one of our Michigan cybersecurity managers, who sent me an excellent article which addressed this question and even listed ‘lessons learned’ from each breach. The article was written by Ericka Chickowski for Dark Reading. Here’s the abbreviated first five on the list, but I urge you to read her entire piece, including the recommendations:
1) South Carolina – 3.3 million unencrypted bank account numbers and 3.8 million tax returns...
2) California Department of Social Services - Sensitive payroll information about approximately 700,000 individuals…
3) Utah Department of Health - The health information and PII of more than 780,000 Utah citizens...
4) California Department of Child Support Services - lost more than 800,000 sensitive health and financial records…
5) United States Bureau of Justice Statistics - Anonymous embarrassed the United States Bureau of Justice Statistics (BJS) when it leaked 1.7 GB of sensitive data…
More sobering news came from “across the pond” back in August, with the announcement that United Kingdom (UK) data breaches are up 1000% in five years. Here’s an excerpt:
“According to the data, local government data breaches have increased by 1609%, with the next largest increases coming from other public sector organizations (1380%) and the private sector (1159%). Data breaches in the NHS have increased by 935%, and central government breaches are up by 132%. The average increase across all eight recorded sectors since 2007 is 1014%.”
Not to be left out, private sector breaches in America are equally as daunting. Fishnet Security initially reported the following expectations at the beginning of 2012:
“Data Breaches Expected to Rise - The majority of respondents (97%) stated that the number of data breaches will increase; only 3 percent stated that the number of breaches would decrease.
Top Three Threat Sources - Executives and security practitioners believe that the top three computing sources that present the greatest threats to information security today are Mobile Computing (35%), Social Networks (27%) and Cloud Computing Platforms (18%).
Cloud Computing Moving Up the Risk Ladder - While 31 percent of respondents believe Mobile Computing will remain the top threat area for the next two years, 28 percent believe that over this same two-year period Cloud Computing will replace Social Networks as the second-riskiest computing environment.
Mobile Computing is a Growing Concern in Data Breaches - Nearly a third of respondents (30%) expect Mobile Computing to increase the most among all data breach sources this year. Organized Cybercriminal Hackers (25%) came in second, while Accidental Exposure of Data (19%) came in third.”
So What Other USA Breaches Have We Seen This Year?
This Network World slide show listed the top breaches through June 2012. Naming 13.73 million records within 189 major breaches, while the government breaches are mentioned, the top two breaches named were:
1) “New York State Electric & Gas Co. - Number of records exposed: 1.8 million files that contained customer Social Security numbers, dates of birth and bank account number, due to unauthorized access by a contractor.
2) Global Payments, Inc. - Atlanta, Ga. - No. of records exposed: 1.5 million payment-card numbers, plus in June the company disclosed its investigation is also turning up potentially hacked servers with names of merchant applicants.”
A Plot Against the Internet?
One story that does seem to be getting quite a bit of year-end attention is what Politico calls “The plot against the Internet.” No, this is not some new malware or distributed denial of service (DDOS) attack, but a possible change of Internet governance. Here’s an interesting excerpt:
“The hype is a perfect storm for Matt Drudge: The U.N. will take over the Internet — unless you act fast…. What’s more likely — almost certain to happen, really — is that the World Conference on International Telecommunications will fail to change much of anything about the way the Web works or who cashes in during the two weeks of meetings that start Monday in this Middle Eastern enclave....
Conservative commentators have taken up the case. Wall Street Journal columnist Gordon Crovitz this week wrote a piece with the headline ‘The U.N.'s Internet Sneak Attack,’ arguing that ‘having the Internet rewired by bureaucrats would be like handing a Stradivarius to a gorilla….’”
Meanwhile, Google also posted a message on their front search page about supporting a free and open Internet with a link to this page, which discusses options for getting involved. Their page headline is "a free and open world depends on a free and open web."
In conclusion, 2012 (minus December) has already been one of the top years for data breaches, and certainly the most significant year for government data breaches at the state and local level. The breach trends do not look good going into 2013.
Of course, the presidential election news in 2012 and the current fiscal cliff headlines continue to move cybersecurity stories and breach headlines into a lower priority category for citizen engagement. True, these breach stories get some front-page attention, but the news-talk radio focus is simply not there yet.
However, I believe that sooner or later these issues will be seen as a national crisis that needs to be addressed with an additional level of focus. The country is also ready for a change in the way we communicate credit card, social security, health records and other sensitive information. Passing this data around openly plastic cards, telephones and unencrypted emails is simply too 20th century.
We’ll get there, but we just need to work through our “hot” topics one at a time.
What are your thoughts on the data breaches we’ve seen in 2012? Where are we headed in 2013?
Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist, keynote speaker and author.
During his distinguished career, he has served global organizations in the public and private sectors in a variety of executive leadership capacities, receiving numerous national awards including: CSO of the Year, Public Official of the Year and Computerworld Premier 100 IT Leader.
Lohrmann led Michigan government’s cybersecurity and technology infrastructure teams from May 2002 to August 2014, including enterprisewide Chief Security Officer (CSO), Chief Technology Officer (CTO) and Chief Information Security Officer (CISO) roles in Michigan.
He currently serves as the Chief Security Officer (CSO) and Chief Strategist for Security Mentor Inc. He is leading the development and implementation of Security Mentor’s industry-leading cyber training, consulting and workshops for end users, managers and executives in the public and private sectors. He has advised senior leaders at the White House, National Governors Association (NGA), National Association of State CIOs (NASCIO), U.S. Department of Homeland Security (DHS), federal, state and local government agencies, Fortune 500 companies, small businesses and nonprofit institutions.
He has more than 30 years of experience in the computer industry, beginning his career with the National Security Agency. He worked for three years in England as a senior network engineer for Lockheed Martin (formerly Loral Aerospace) and for four years as a technical director for ManTech International in a US/UK military facility.
Lohrmann is the author of two books: Virtual Integrity: Faithfully Navigating the Brave New Web and BYOD for You: The Guide to Bring Your Own Device to Work. He has been a keynote speaker at global security and technology conferences from South Africa to Dubai and from Washington, D.C., to Moscow.
He holds a master's degree in computer science (CS) from Johns Hopkins University in Baltimore, and a bachelor's degree in CS from Valparaiso University in Indiana.
Follow Lohrmann on Twitter at: @govcso
Building effective virtual government requires new ideas, innovative thinking and hard work. From cybersecurity to cloud computing to mobile devices, Dan discusses what’s hot and what works in the world of gov tech.