The Department of Veterans Affairs mailed personal informatio to the wrong recipients, one of many examples of a federal data breach. (Sheila Vemmer/staff / Army Times Publishing Co.)
Last month, the Veterans Affairs Department notified nearly 100 veterans that their personal information had been mishandled or misused electronically.
In a monthly data breach report to Congress, VA reported an additional 111 veterans were notified after their information was incorrectly mailed to the wrong person.
While these slipups represent a fraction of the massive volume of mailings and data handling that VA conducts, these errors are representative of a larger issue across all levels of government.
According to this year’s Verizon Data Breach Investigations Report, miscellaneous errors, which include misdelivery and publishing errors, were more prevalent in the public sector than most other industries. The frequency of these types of errors within the public sector surpassed the number of incidents classified as insider misuse or theft and loss.
Sending paper documents or emails to the wrong person is the most common miscellaneous error, the report found.
The annual report analyzed nearly 65,000 cyber incidents involving 50 public and private sector organizations around the globe. Verizon used a statistical process to group incidents into nine basic patterns, which the security firm says accounts for 92 percent of all the threats Verizon has analyzed over the past 10 years.
The categories include cyber espionage, denial of service, miscellaneous errors and Web app attacks.
“If you can remediate against these nine, you’ve got a big head start,” said Kevin Thompson, an analyst for the report.
Thompson cautioned against assuming government is doing worse than the private sector when it comes to guarding against disposal errors, misdelivery and similar incidents. Government agencies like the VA are required to report their breaches and make data publicly available.
“In a perfect world with perfect data, we would see everyone lit up in that column,” Thompson said of other industries publicly reporting their miscellaneous errors.
Verizon defines these types of errors as “incidents where unintentional actions directly compromised a security attribute.” This doesn’t include lost devices, which is categorized as theft.
Government entities should assume errors will happen and apply processes that will enable them to detect potential errors before they occur, Thompson said.
“People are going to make mistakes, and you can’t patch that,” he said.