Data breaches by local, state and federal agencies over the past eight years cost governments some $26 billion, according to a new report.
The U.S. Postal Service and the Office of Personnel Management had a combined nearly 82 million records compromised in the two largest all-government data breaches since 2014, according to the report compiled by Comparitech, a consumer-aid website that conducts research uncovering cyber security breaches.
The report, which analyzed breaches from a variety of sources, found that across all levels of government, 175 million records were affected in 822 individual incidents nationwide. The USPS and OPM breaches ranked first and second in major disclosures of information among data breaches by state, local and federal governments in the study period.
Fortifying information security has been a years-long priority for federal agencies, especially as the White House’s modernization push is making paper processes take digital forms that require secure systems and people to build them. That goal has branched into a number of different initiatives, from beefing up tech talent through workforce training and development, to creating new responsibilities and positions devoted to IT, to expanding zero-trust goals.
Still, the Government Accountability Office has said weakness remains across federal agencies when it comes to locking down their stores of personally identifiable information.
Two instances in recent memory painfully illustrate that fact.
“2018 saw a colossal 83 million breached records,” the Comparitech report said. “They mainly stemmed from one breach on the US Postal Service, affecting 60 million records.”
USPS user account details were exposed that year because of a soft spot in the website’s software interface, according to KrebsOnSecurity, which first reported the breach. That ultimately led to the exposure of sensitive account information like usernames, addresses and phone numbers.
Comparitech ranked this as number one in the top five biggest government data breaches since 2014.
The second-largest breach had a more nefarious backstory.
At OPM, hackers compromised 21.5 million pieces of information on background investigations — much smaller than the USPS breach but still devastating enough to result in a $63 million settlement by OPM and its contractor for affected employees. (The deadline to file a claim in the class-action lawsuit passed earlier this month.)
In June 2015, the government’s central HR office discovered two separate but related cybersecurity failures that resulted in background investigation records being stolen, which in some cases also jeopardized Social Security numbers and fingerprints.
About a month before, personnel data for 4.2 million current and former employees had been stolen.
Reports after the breaches concluded that if an individual underwent a background investigation through OPM in 2000 or later, it was “highly likely” that the individual was impacted by the cyber breach.
Across both incidents, there was an overlap of about 3.6 million people who were affected by both incidents.
Beyond those incidents, law enforcement agencies, federal and otherwise, have also been specific targets, the Comparitech report said. Police-like agencies made up 13% of entities impacted by breaches.
In one example from 2019, Customs and Border Protection discovered that 184,000 photos of travelers from the facial recognition pilot and license plates became accessible during a cyber attack on a federal contractor. Some of the images then appeared on the dark web, according to the inspector general report.
Before the contractor was attacked, however, officials discovered that the company had transferred copies of biometric data, such as traveler images, to its own network from a computer system connected to cameras at the test site in Anzalduas, Texas.
“CBP’s IT security controls were inadequate to prevent these actions, which put traveler data at risk,” the OIG report said. “The subcontractor’s network was later the subject of a malicious cyber attack.”
In 2019, after the dust had settled from many of these major breaches, GAO reported that none of the 24 major federal agencies had fully implemented best practices for IT and cybersecurity workforce planning.
Information security has been a high-risk vulnerability for agencies since the 1990s, though in reports from the last few years, GAO has said federal agencies have “not fully assessed and addressed future agency cybersecurity workforce needs.”
“The cyber threat landscape is getting more complex, dynamic and dangerous every day,” said Felicia Purifoy, the chief human capital officer for the Cybersecurity and Infrastructure Security Agency, in a statement. “At the same time, we have a global shortage of cyber talent that affects every organization, including the federal government.”
Looking ahead to 2023, the latest government spending bill allocates nearly $3 billion to CISA, a small increase from last year.
Molly Weisner is a staff reporter for Federal Times where she covers labor, policy and contracting pertaining to the government workforce. She made previous stops at USA Today and McClatchy as a digital producer, and worked at The New York Times as a copy editor. Molly majored in journalism at the University of North Carolina at Chapel Hill.