recommended reading

Hacked Agencies Are Inconsistent in Alerting Victims

Sergey Nivens/Shutterstock.com

Agencies are not in synch when it comes to notifying victims of hacks, which might be impairing the government’s ability to protect affected federal employees and citizens from predators, according to a new federal audit

The number of reported government data breaches that compromised personal information spiked 42 percent between fiscal years 2011 and 2012, increasing from 15,584 cases to 22,156 cases, Government Accountability officials report.

While the rate of reported hacks has grown, improvement in responding to those hacks has not, according to their audit, which was released on Wednesday.

Within eight agencies examined, "implementation of breach response policies and procedures was not consistent," the report stated, adding that consequently, "these agencies may not be taking corrective actions consistently to limit the risk to individuals from [personal information]-related data breach incidents."

For example, the Internal Revenue Service and Federal Retirement Thrift Investment Board did not factor in the number of individuals affected to calculate the likely risk of harm and level of impact of each incident.

And at the Centers for Medicare and Medicaid Services -- which oversees HealthCare.gov, the Veterans Affairs Department, Federal Deposit Insurance Corporation and Federal Reserve Board, "we found that the agencies did not always document the number of affected individuals for each case," the study stated.

"While it may not be possible for an agency to determine the exact number of affected individuals in every case, an estimate of the number of affected individuals is important in determining the overall impact of a data breach,” the study added.

The review examined several past high-profile breaches at various agencies. “Most notably," according to GAO, was the theft of VA computer equipment containing personal information on about 26.5 million veterans and active duty members. Auditors also looked at the 2011 hack of a computer containing the Social Security numbers of 123,000 federal employee retirement plan participants.

Wednesday's report does not address some of the most recent major incidents, such as the Energy Department's sluggish response to a July 2013 breach that ultimately affected 104,000 federal employees and the 2011 theft of backup computer tapes containing sensitive health information of 4.9 million Military Health Care System TRICARE beneficiaries.

The audit partly blames the uneven incident response on incomplete guidance from the Office of Management and Budget. After reading a draft report, OMB officials asked GAO to specify what extra instructions agencies need. In the final report, the auditors recommended that OMB provide directions on notifying victims based on a hack’s risk-level, as well as criteria for determining whether to offer individuals assistance, such as credit monitoring.

(Image via Sergey Nivens/Shutterstock.com)

Threatwatch Alert

Network intrusion / Spear-phishing

Researchers: Bank-Targeting Malware Sales Rise in Dark Web Markets

See threatwatch report

JOIN THE DISCUSSION

Close [ x ] More from Nextgov
 
 

Thank you for subscribing to newsletters from Nextgov.com.
We think these reports might interest you:

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.

    Download
  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

    Download
  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

    Download
  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

    Download
  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

    Download
  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security

    Download

When you download a report, your information may be shared with the underwriters of that document.