recommended reading

Hacked Agencies Are Inconsistent in Alerting Victims

Sergey Nivens/

Agencies are not in synch when it comes to notifying victims of hacks, which might be impairing the government’s ability to protect affected federal employees and citizens from predators, according to a new federal audit

The number of reported government data breaches that compromised personal information spiked 42 percent between fiscal years 2011 and 2012, increasing from 15,584 cases to 22,156 cases, Government Accountability officials report.

While the rate of reported hacks has grown, improvement in responding to those hacks has not, according to their audit, which was released on Wednesday.

Within eight agencies examined, "implementation of breach response policies and procedures was not consistent," the report stated, adding that consequently, "these agencies may not be taking corrective actions consistently to limit the risk to individuals from [personal information]-related data breach incidents."

For example, the Internal Revenue Service and Federal Retirement Thrift Investment Board did not factor in the number of individuals affected to calculate the likely risk of harm and level of impact of each incident.

And at the Centers for Medicare and Medicaid Services -- which oversees, the Veterans Affairs Department, Federal Deposit Insurance Corporation and Federal Reserve Board, "we found that the agencies did not always document the number of affected individuals for each case," the study stated.

"While it may not be possible for an agency to determine the exact number of affected individuals in every case, an estimate of the number of affected individuals is important in determining the overall impact of a data breach,” the study added.

The review examined several past high-profile breaches at various agencies. “Most notably," according to GAO, was the theft of VA computer equipment containing personal information on about 26.5 million veterans and active duty members. Auditors also looked at the 2011 hack of a computer containing the Social Security numbers of 123,000 federal employee retirement plan participants.

Wednesday's report does not address some of the most recent major incidents, such as the Energy Department's sluggish response to a July 2013 breach that ultimately affected 104,000 federal employees and the 2011 theft of backup computer tapes containing sensitive health information of 4.9 million Military Health Care System TRICARE beneficiaries.

The audit partly blames the uneven incident response on incomplete guidance from the Office of Management and Budget. After reading a draft report, OMB officials asked GAO to specify what extra instructions agencies need. In the final report, the auditors recommended that OMB provide directions on notifying victims based on a hack’s risk-level, as well as criteria for determining whether to offer individuals assistance, such as credit monitoring.

(Image via Sergey Nivens/

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • It’s Time for the Federal Government to Embrace Wireless and Mobility

    The United States has turned a corner on the adoption of mobile phones, tablets and other smart devices, outpacing traditional desktop and laptop sales by a wide margin. This issue brief discusses the state of wireless and mobility in federal government and outlines why now is the time to embrace these technologies in government.

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • A New Security Architecture for Federal Networks

    Federal government networks are under constant attack, and the number of those attacks is increasing. This issue brief discusses today's threats and a new model for the future.

  • Going Agile:Revolutionizing Federal Digital Services Delivery

    Here’s one indication that times have changed: Harriet Tubman is going to be the next face of the twenty dollar bill. Another sign of change? The way in which the federal government arrived at that decision.

  • Software-Defined Networking

    So many demands are being placed on federal information technology networks, which must handle vast amounts of data, accommodate voice and video, and cope with a multitude of highly connected devices while keeping government information secure from cyber threats. This issue brief discusses the state of SDN in the federal government and the path forward.

  • The New IP: Moving Government Agencies Toward the Network of The Future

    Federal IT managers are looking to modernize legacy network infrastructures that are taxed by growing demands from mobile devices, video, vast amounts of data, and more. This issue brief discusses the federal government network landscape, as well as market, financial force drivers for network modernization.


When you download a report, your information may be shared with the underwriters of that document.