recommended reading

Hacked Agencies Are Inconsistent in Alerting Victims

Sergey Nivens/

Agencies are not in synch when it comes to notifying victims of hacks, which might be impairing the government’s ability to protect affected federal employees and citizens from predators, according to a new federal audit

The number of reported government data breaches that compromised personal information spiked 42 percent between fiscal years 2011 and 2012, increasing from 15,584 cases to 22,156 cases, Government Accountability officials report.

While the rate of reported hacks has grown, improvement in responding to those hacks has not, according to their audit, which was released on Wednesday.

Within eight agencies examined, "implementation of breach response policies and procedures was not consistent," the report stated, adding that consequently, "these agencies may not be taking corrective actions consistently to limit the risk to individuals from [personal information]-related data breach incidents."

For example, the Internal Revenue Service and Federal Retirement Thrift Investment Board did not factor in the number of individuals affected to calculate the likely risk of harm and level of impact of each incident.

And at the Centers for Medicare and Medicaid Services -- which oversees, the Veterans Affairs Department, Federal Deposit Insurance Corporation and Federal Reserve Board, "we found that the agencies did not always document the number of affected individuals for each case," the study stated.

"While it may not be possible for an agency to determine the exact number of affected individuals in every case, an estimate of the number of affected individuals is important in determining the overall impact of a data breach,” the study added.

The review examined several past high-profile breaches at various agencies. “Most notably," according to GAO, was the theft of VA computer equipment containing personal information on about 26.5 million veterans and active duty members. Auditors also looked at the 2011 hack of a computer containing the Social Security numbers of 123,000 federal employee retirement plan participants.

Wednesday's report does not address some of the most recent major incidents, such as the Energy Department's sluggish response to a July 2013 breach that ultimately affected 104,000 federal employees and the 2011 theft of backup computer tapes containing sensitive health information of 4.9 million Military Health Care System TRICARE beneficiaries.

The audit partly blames the uneven incident response on incomplete guidance from the Office of Management and Budget. After reading a draft report, OMB officials asked GAO to specify what extra instructions agencies need. In the final report, the auditors recommended that OMB provide directions on notifying victims based on a hack’s risk-level, as well as criteria for determining whether to offer individuals assistance, such as credit monitoring.

(Image via Sergey Nivens/

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Modernizing IT for Mission Success

    Surveying Federal and Defense Leaders on Priorities and Challenges at the Tactical Edge

  • Communicating Innovation in Federal Government

    Federal Government spending on ‘obsolete technology’ continues to increase. Supporting the twin pillars of improved digital service delivery for citizens on the one hand, and the increasingly optimized and flexible working practices for federal employees on the other, are neither easy nor inexpensive tasks. This whitepaper explores how federal agencies can leverage the value of existing agency technology assets while offering IT leaders the ability to implement the kind of employee productivity, citizen service improvements and security demanded by federal oversight.

  • Effective Ransomware Response

    This whitepaper provides an overview and understanding of ransomware and how to successfully combat it.

  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation

  • IT Transformation Trends: Flash Storage as a Strategic IT Asset

    MIT Technology Review: Flash Storage As a Strategic IT Asset For the first time in decades, IT leaders now consider all-flash storage as a strategic IT asset. IT has become a new operating model that enables self-service with high performance, density and resiliency. It also offers the self-service agility of the public cloud combined with the security, performance, and cost-effectiveness of a private cloud. Download this MIT Technology Review paper to learn more about how all-flash storage is transforming the data center.


When you download a report, your information may be shared with the underwriters of that document.