Consumer data privacy has been rising toward the top of government agendas at both federal and local levels in recent months. But while regulators attempt to curb questionable Internet advertising tactics and security teams keep an eye on cybercriminal activity, the real threat may already be inside the gates. According to the latest analysis from Rapid7, government agencies suffered 268 breach incidents between January 2009 and June 2012, exposing more than 94 million records containing personally identifiable information (PII) as a result.
Rapid7 researchers sorted through the incidents included in the Privacy Rights Clearinghouse (PRC) Chronology of Data Breaches to uncover trends relating to the timing, type and location of the events. The highest number of publicly reported incidents came in 2010, nearly doubling the frequency observed in 2009. However, the number of breaches did decline in 2011 and is on pace to do so once again in 2012.
Still, frequency and severity are two distinctly different variables. Although 2009 did not have the highest number of reported incidents, more than 79 million records containing PII were exposed in that year. In 2010, that figure dropped dramatically to 1.5 million only to rise again the following year to more than 4 million compromised records.
What may be most troubling is the sense that a majority of these events were triggered by simple employee negligence. Approximately 81 million records were exposed as a result of loss, theft or careless discarding of portable devices ranging from flash drives to laptops. Unintended disclosures such as information accidentally published on a website or emailed to the wrong party were responsible for nearly 12 million compromised records.
Interestingly enough, hacking or malware incidents were responsible for little more than 1.1 million of the 94 million records exposed to unauthorized viewers. However, the rate of reported cybercriminal activity grew approximately 50 percent year-over-year between 2009 and 2011. And judging by the data security issues observed in the first five months of the year, Rapid 7 analysts suggested that 2012 is on pace to produce twice as many incidents as 2011.
"Government infrastructure has come under attacks from cyber espionage, hacktivism and insider threats," explained Rapid7 security researcher Marcus Carey. "Combine that with a staggering number of cases involving human error and it's clear that the government sector is facing a persistent challenge when it comes to protecting our critical infrastructures, intellectual property, economic data, employee records and other sensitive information."
Addressing the threats
Considering the currently discordant state of data breach notification laws around the country, PRC officials have insisted that their sample likely represents only a portion of the incidents that have actually occurred within government organizations. Nevertheless, the statistics do provide insight into some of the broader trends that may clue security teams into possible solutions.
First and foremost, inconsistent regulation of agency hardware was a clear pain point observed in breach reports. While only one in five incidents involved lost, stolen or improperly discarded portable devices, the exploitation of these high-value assets led to the exposure of 80.7 million records containing PII.
So as agencies begin to expand and refine their mobile device management strategies, maintaining visibility over inventory needs to be the first objective satisfied. Additionally, managers would be wise to enforce strong encryption and establish remote data protection capabilities to mitigate the damage done when devices suddenly go off the radar.
From a broader perspective, the rate of unintended disclosures, physical loss and device mismanagement underscore the pressing need for comprehensive employee education. Considering the speed with which digital workloads are expanding and data security threats are evolving, skill building workshops and comprehension checks will need to be more continuous than sporadic.
Security News from SimplySecurity.com by Trend Micro