The number of data breaches suffered by US Government networks reached more than 46,000 in 2013, many of them caused by the incompetence or mistakes of workers, a Freedom of Information survey by the Associated Press has discovered.
The number has risen steadily too, growing on .gov and .mil networks from 26,942 to 46,605 between 2009 and 2013, with US-CERT responding to an astonishing 228,700 cyber-incidents last year at US various departments and partners.
Documents obtained during the research showed that 21 percent of the breaches were traced to workers breaking security policies, 16 were caused by lost or stolen devices, and (interestingly) 12 percent who printed out sensitive data without handling it in a secure way.
A modest-sounding eight percent of loss was connected to staff who were infected with malicious software and, rather disturbingly, while a review by the White House showed that six percent of workers had been “enticed” into giving it up, which presumably covers social engineering.
“In one incident around Christmas 2011, Education Department employees received an email purportedly from Amazon.com that asked them to click on a link. Officials quickly warned staff that it could be malicious,” said AP.
Most of the recoded cyber-attacks happened at a small core of agencies, including the Department of Defense, Department of Education, National Weather Service, AP’s research revealed.
Judging from the dozens of of FoI requests that were required to elicit this data, it’s not surprising that the scale of US Government data breaches and cyber-attacks is still a little-discussed topic.
Many of the attacks had a criminal element behind them, trawling employee records for profit and identity theft in a way that treats the US Government like any other business target.
But given the recent revelation that Russia hackers found a way into the unclassified admin network of the White House, a sizable number will also have been the work of actors.
The important metric that is missing from all this is an assessment of the damage. Until now, breaches have been judged largely on their size. For Governments, by contrast, even the smallest ones could hurt.