December 2, 2012 By Dan Lohrmann
What were the top government data breaches in the USA in 2012 (so far)? It appears that this year will be remembered more for state and local breach headlines than for federal government breaches.
I’m starting off this blog with highlights from one of those “scary headline” articles that government technology leaders want their organizations to avoid. And yet, there is an ominous sense across the nation right now amongst security professionals. Most Chief Information Security Officers (CISOs) understand that there are more breaches to come in 2013. To some extent, the sentiment is: “I could be next.”
A shout-out goes to Rock Rakowski, one of our Michigan cybersecurity managers, who sent me an excellent article which addressed this question and even listed ‘lessons learned’ from each breach. The article was written by Ericka Chickowski for Dark Reading. Here’s the abbreviated first five on the list, but I urge you to read her entire piece, including the recommendations:
1) South Carolina – 3.3 million unencrypted bank account numbers and 3.8 million tax returns...
2) California Department of Social Services - Sensitive payroll information about approximately 700,000 individuals…
3) Utah Department of Health - The health information and PII of more than 780,000 Utah citizens...
4) California Department of Child Support Services - lost more than 800,000 sensitive health and financial records…
5) United States Bureau of Justice Statistics - Anonymous embarrassed the United States Bureau of Justice Statistics (BJS) when it leaked 1.7 GB of sensitive data…
More sobering news came from “across the pond” back in August, with the announcement that United Kingdom (UK) data breaches are up 1000% in five years. Here’s an excerpt:
“According to the data, local government data breaches have increased by 1609%, with the next largest increases coming from other public sector organizations (1380%) and the private sector (1159%). Data breaches in the NHS have increased by 935%, and central government breaches are up by 132%. The average increase across all eight recorded sectors since 2007 is 1014%.”
Not to be left out, private sector breaches in America are equally as daunting. Fishnet Security initially reported the following expectations at the beginning of 2012:
“Data Breaches Expected to Rise - The majority of respondents (97%) stated that the number of data breaches will increase; only 3 percent stated that the number of breaches would decrease.
Top Three Threat Sources - Executives and security practitioners believe that the top three computing sources that present the greatest threats to information security today are Mobile Computing (35%), Social Networks (27%) and Cloud Computing Platforms (18%).
Cloud Computing Moving Up the Risk Ladder - While 31 percent of respondents believe Mobile Computing will remain the top threat area for the next two years, 28 percent believe that over this same two-year period Cloud Computing will replace Social Networks as the second-riskiest computing environment.
Mobile Computing is a Growing Concern in Data Breaches - Nearly a third of respondents (30%) expect Mobile Computing to increase the most among all data breach sources this year. Organized Cybercriminal Hackers (25%) came in second, while Accidental Exposure of Data (19%) came in third.”
So What Other USA Breaches Have We Seen This Year?
This Network World slide show listed the top breaches through June 2012. Naming 13.73 million records within 189 major breaches, while the government breaches are mentioned, the top two breaches named were:
1) “New York State Electric & Gas Co. - Number of records exposed: 1.8 million files that contained customer Social Security numbers, dates of birth and bank account number, due to unauthorized access by a contractor.
2) Global Payments, Inc. - Atlanta, Ga. - No. of records exposed: 1.5 million payment-card numbers, plus in June the company disclosed its investigation is also turning up potentially hacked servers with names of merchant applicants.”
A Plot Against the Internet?
One story that does seem to be getting quite a bit of year-end attention is what Politico calls “The plot against the Internet.” No, this is not some new malware or distributed denial of service (DDOS) attack, but a possible change of Internet governance. Here’s an interesting excerpt:
“The hype is a perfect storm for Matt Drudge: The U.N. will take over the Internet — unless you act fast…. What’s more likely — almost certain to happen, really — is that the World Conference on International Telecommunications will fail to change much of anything about the way the Web works or who cashes in during the two weeks of meetings that start Monday in this Middle Eastern enclave....
Conservative commentators have taken up the case. Wall Street Journal columnist Gordon Crovitz this week wrote a piece with the headline ‘The U.N.'s Internet Sneak Attack,’ arguing that ‘having the Internet rewired by bureaucrats would be like handing a Stradivarius to a gorilla….’”
Meanwhile, Google also posted a message on their front search page about supporting a free and open Internet with a link to this page, which discusses options for getting involved. Their page headline is "a free and open world depends on a free and open web."
In conclusion, 2012 (minus December) has already been one of the top years for data breaches, and certainly the most significant year for government data breaches at the state and local level. The breach trends do not look good going into 2013.
Of course, the presidential election news in 2012 and the current fiscal cliff headlines continue to move cybersecurity stories and breach headlines into a lower priority category for citizen engagement. True, these breach stories get some front-page attention, but the news-talk radio focus is simply not there yet.
However, I believe that sooner or later these issues will be seen as a national crisis that needs to be addressed with an additional level of focus. The country is also ready for a change in the way we communicate credit card, social security, health records and other sensitive information. Passing this data around openly plastic cards, telephones and unencrypted emails is simply too 20th century.
We’ll get there, but we just need to work through our “hot” topics one at a time.
What are your thoughts on the data breaches we’ve seen in 2012? Where are we headed in 2013?
Building effective virtual government requires new ideas and hard work. Security professionals need to be enablers of innovation. From helpful Internet training to defending cloud computing architectures to securing mobile devices, Dan Lohrmann will cover what's hot and what's not in protecting your corner of cyberspace.