In three years, the federal government has reported unintentionally exposing more than 94 million records containing personally identifiable information, according to a recent study. The report, which was released by private security firm Rapid7 and based on data collected by the Privacy Rights Clearinghouse, focused on the time period of Jan. 1 2009 through May 31, 2012, during which time there were 268 reported breach incidents in government agencies. In the first half of 2012, government data breaches represented 14 percent of all incidents, with private enterprise claiming 64 percent of the reported incidents, according to The Open Security Foundation's DataLossDB.
In each government data exposure incident, records could have been exposed in several different ways, with exposure by portable device claiming the biggest casualties: 80,706,983 records lost in 51 incidents, although this number is misleading because of one outlying incident. California, Washington D.C. And Texas are respectively the top three locations for highest number of data breach incidents, with D.C. claiming 76,126,807 records records lost in 20 incidents.
By year, 2009 saw the most records compromised with 79,109,971 reported. Taking 2009 off the table and focusing on 2010 through 2012, the numbers change drastically, reducing the number of reported records lost to about 15 million. The disparity caused by the 2009 statistics can be attributed to a single incident on Oct. 2, 2009, in which a defective hard drive containing detailed records, including social security numbers, of 76 million veterans was returned to a contractor for repair. The contractor determined the hard drive could not be repaired and passed the hard drive onto another company for recycling. The hard drive was used as part of eVetRecs, a system veterans used to request copies of their health records and discharge papers.
While this report focuses on the federal level, state and local governments are not immune. Earlier this year, for instance, both South Carolina and Utah experienced high-profile breaches, and theUtah Health Insurance Exchange also was hacked.
The Rapid7 report characterized government security controls and best practices as weak and security costs as growing. The report outlined five steps government should take to reduce the number of exposure incidents:
Another simple yet often overlooked step in data protection rests with being smart about personal passwords.
Read the full report, Data Breaches in the Government Sector, on Rapid7.com.