Federal agencies fall short on data breaches, GAO report says
The number of data breaches reported by government agencies more than doubled in a four-year period.
Federal agencies are not doing enough to guard against data breaches and protect personal identifiable information (PII) from falling into the wrong hands, according to a report released Wednesday by the Government Accountability Office (GAO).
Noting that the number of data breaches reported by government has more than doubled in just four years to 25,566 incidents, the GAO report said that as a collector of large amounts of PII, government has an obligation to adequately protect it and respond quickly when breaches occur.
But the latest GAO research found that those organizations fell short on both counts. Between 2009 and 2013, the number of incidents involving PII swelled by more than 140 percent and government was the target of some high-profile attacks. Laptops stolen from the home of a Veterans Administration employee exposed PII on roughly 26.5 million veterans while more recently, hackers obtained information about 104,000 people from a Department of Energy system.
The study follows earlier reports — the latest in December scrutinizing the IRS, SEC, Department of the Army and five other agencies — that the organizations are uneven in addressing eight components of a mandated information security program and fail to adequately implement specific security controls. And, in fact, they are challenged by a wide range of attacks. While the largest number of incidents was non-cyber in nature, 16 percent were a result of malware and 19 percent were due to policy violation, the GAO study said.
GAO Director of Information Security Issues Gregory Wilshusen revealed the results of the study, "Information Security: Federal Agencies Need to Enhance Responses to Data Breaches," in testimony before the Senate Committee on Homeland Security and Government Affairs, just a day after Federal Trade Commission (FTC) Chairwoman Edith Ramirez outlined the FTC's aggressive pursuit of private companies for failing to “provide reasonable protections for consumers personal information.”