Report: Feds Exposed 94 Million Records in 3 Years

In three years, the federal government has reported unintentionally exposing more than 94 million records containing personally identifiable information, according to a recent study. The report, which was released by private security firm Rapid7 and based on data collected by the Privacy Rights Clearinghouse, focused on the time period of Jan. 1 2009 through May 31, 2012, during which time there were 268 reported breach incidents in government agencies. In the first half of 2012, government data breaches represented 14 percent of all incidents, with private enterprise claiming 64 percent of the reported incidents, according to The Open Security Foundation's DataLossDB.

In each government data exposure incident, records could have been exposed in several different ways, with exposure by portable device claiming the biggest casualties: 80,706,983 records lost in 51 incidents, although this number is misleading because of one outlying incident. California, Washington D.C. And Texas are respectively the top three locations for highest number of data breach incidents, with D.C. claiming 76,126,807 records records lost in 20 incidents.

By year, 2009 saw the most records compromised with 79,109,971 reported. Taking 2009 off the table and focusing on 2010 through 2012, the numbers change drastically, reducing the number of reported records lost to about 15 million. The disparity caused by the 2009 statistics can be attributed to a single incident on Oct. 2, 2009, in which a defective hard drive containing detailed records, including social security numbers, of 76 million veterans was returned to a contractor for repair. The contractor determined the hard drive could not be repaired and passed the hard drive onto another company for recycling. The hard drive was used as part of eVetRecs, a system veterans used to request copies of their health records and discharge papers.

While this report focuses on the federal level, state and local governments are not immune. Earlier this year, for instance, both South Carolina and Utah experienced high-profile breaches, and theUtah Health Insurance Exchange also was hacked.

The Rapid7 report characterized government security controls and best practices as weak and security costs as growing. The report outlined five steps government should take to reduce the number of exposure incidents:

1. Vulnerability Management (Risk Assessment). Federal agencies must discover, assess, prioritize, and mitigate vulnerabilities in both physical and virtual federal computing infrastructures. Best practices include mapping vulnerabilities to alerts generated by IAVA, as required by DISA.
2. Penetration Testing (Risk Validation). After vulnerabilities are discovered and prioritized, IT administrators must validate actual exploitability in federal computing infrastructure to document real, contextual risk through penetration tests and social engineering. 
3. Regulatory Compliance (FISMA). Meeting FISMA requirements includes testing security controls that map to NIST SP 800-53 Rev.4 and automating CyberScope reporting, required to submit monthly FISMA metrics. 
4. Configuration Compliance. IT administrators must perform security audits to establish and maintain compliance with the United States General Configuration Benchmarks (USGCB), the Federal Desktop Core Configuration (FDCC) and other SCAP guidelines.  
5. Continuous Monitoring. As a final step, government IT departments must address NIST SP 800-137 requirements for continuous monitoring and risk-guided decision making. 

Another simple yet often overlooked step in data protection rests with being smart about personal passwords.

Read the full report, Data Breaches in the Government Sector, on Rapid7.com.