Governments accounted for 1 out of 5 breaches that exposed private data

The number of security breaches that exposed personal identifiable information in government systems in 2008 was far below what the private sector reported, according to a series of reports released by a consumer protection organization on Tuesday.

Of the 656 security breaches reported last year, 16.8 percent occurred in systems operated by state, local and federal governments, including military networks, according to a compilation of reports released by the Identity Theft Resource Center.

The number of breaches reported in 2008 increased 47 percent compared with 2007. But the percentage of incidents the government reported decreased in 2008, dropping from 24.5 percent of the total breaches reported.

Companies in the financial and credit market accounted for 11.9 percent of the breaches while organizations in the health care sector were responsible for 14.8 percent. Businesses in general accounted for 36.6 percent of infiltrations, or 240 incidents, and educational institutions accounted for 20 percent.

"The government comes out looking better than commercial, which is the good news," said James Lewis, director of the technology and public policy program at the Center for Strategic and International Studies. "The bad news is that both industries need to do something about authentication."

He said the federal government's lack of compliance with Homeland Security Presidential Directive 12, which requires all federal employees and contractors to use a biometrically enabled identity card to access facilities and computer networks, has hurt agencies' ability to better protect systems.

"That's a failure," Lewis said.

The most common breach of private data involving government systems occurred when data was in transit. The Identity Theft Resource Center categorized 28 of the 110 breaches of government information as "data on the move," meaning the information was not properly protected while traveling over the network. Twenty-two government breaches were "insider theft," in which employees stole the information from a federal computer system; 20 breaches involved employees accidentally exposing private data; and 15 were caused by subcontractors failing to protect data on their systems properly. Hacking accounted for only five of the breaches reported during the year.

"It comes down to whether or not we're protecting data," Lewis said. "Networks are porous. And if data is important, you need to secure it, usually with encryption. In a lot of cases, people don't make that additional effort."

Only 2.4 percent of all breaches occurred despite the company or agency employing encryption or some other protective method, according to the center, while 8.5 percent of reported breaches circumvented password-protected data.

The federal breach that exposed the greatest volume of personal identifiable information involved an Army network, according to the report. In March, the Army improperly released over the Internet the promotion selection lists containing the names and Social Security numbers of more than 50,000 officers.