Data breach report should be wakeup call for lawmakers

CYBERSLEUTH

While attention has been focused on massive data breaches at large corporations over the past few years, a study of cyber incidents in 2018 concludes that governmental agencies are orders of magnitude more likely to be the source of data breaches.

The 2019 Data Breach Investigations Report issued by Verizon this month found that more than half of all attacks last year were in the public sector, an astonishing 23,399 incidents with 330 with confirmed data breaches. "Incidents" are defined as a security event that compromises the integrity, confidentiality or availability of sensitive data. Breaches are incidents for which there is a confirmation that data was disclosed to an unauthorized party.

Almost all of the public sector cyber incidents were categorized as "large" breaches, though the report didn't provide a definition. Sixty-six percent of the public sector attacks were carried out by external actors for cyber espionage and the remaining third of the attacks were related to financial motives. Almost as disturbing, however, was the finding that 30 percent of the incidents were attributed to internal actors.

Oddly, the runner up for most cyberattacks was a category labeled as "Unknown," followed by the entertainment sector, with 6,299 attacks but only 10 breaches of data. Not surprisingly, information technology followed closely behind with 1,029 attacks and 155 data breaches, as did the financial sector with 927 attacks and 207 data breaches. The health care industry suffered far fewer attacks, 466, but the vast majority those attacks, 304, resulted in data breaches. Interestingly, the professional services sector, which includes law firms, were targets of 670 attacks, with 157 data breaches.

This data suggest that legislators and regulators who are charged with protecting the public's sensitive data have been overlooking a huge security vulnerability -- and it's right under their noses. The report concluded that cyberattacks on public agencies increased a whopping 168 percent in 2018 compared with 2017. Not only are government databases being targeted more frequently than corporate databases, but government was far slower to detect and address attacks. Attacks on government data systems were 2.5 times more likely to remain undiscovered than in the commercial sector, and about half of those breaches went undiscovered for years.

A simple inventory of incidents and breaches alone, of course, doesn't fully capture the severity of the breach. Recall that the hack on Equifax's databases lead to the exposure of 145.5 million U.S. consumers' credit files. Data disclosed included individuals' names, credit card numbers, Social Security numbers, birth dates, addresses and driver's license numbers. The Equifax hack would be counted as one incident, but obviously the consequences were enormous. And who can forget the breach of Yahoo! Inc., the largest data breach in history, in which 3 billion users' data was compromised. The Yahoo data breach was in some ways less severe because it only revealed customers' names, emails addresses and passwords.

All cyberattacks and data breaches aren't created equal, but the government has a special responsibility to protect citizens' data since it stores virtually every type of highly sensitive and personal data that crosses almost all commercial sectors -- financial data in tax returns, health care information in Medicare and Medicaid records, passport numbers and travel information, demographic information, non-public investigations, etc. Much of this information is collected involuntarily by the government and citizens have little insight in to how long the data is retained or how it is used.

Legislation at the federal and state level has given citizens greater rights over the collection and storage of personal data by corporations. Some states have enacted privacy statues or other legislation giving citizens greater ability to sue for damage caused by commercial data breaches. Good luck trying to sue the government for losing control of highly sensitive personal information.

The federal government has made strides in creating new departments focused on cybercrimes, such as the Federal Bureau of Investigations, Homeland Security and the Secret Service's Cyber Division. State governments have done far less to secure data collected and stored by their agencies.

Most of the focus by the federal government is directed toward high-profile cyberattacks from state-sponsored actors or foreign governments themselves. Far less attention is being paid to the more mundane breaches that stem from internal actors. Public sector employees and contractors accounted for one-third, or 7,799 incidents last year.

The report noted that improper use of credentials and errors by public sector actors accounted for a third of the government data breaches. Errors include responding to phishing emails, data mishandling, loss of devices, and sending information to the wrong recipient (by either email or regular mail). Indeed, 37 percent of data breaches categorized as errors were due to an internal person sending information to the wrong recipient. This percentage is up from 32 percent in 2010.

The conclusions in the Verizon report should be a wakeup call to federal and state legislators. Now is the time to prioritize better training for public sector employees and improving security processes for government data systems before the problem gets worse.