Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:45 PM
Connect Directly

Federal Government Most Prone To Repeat Breaches

It isn't just the White House that gets compromised more than once. Also, in a shifting trend, malicious insider attacks don't cut quite as deep as outsiders' do, report finds.

After a data breach, some organizations get up and redouble their defenses, while others get kicked while their down, again and again. Government agencies seem to be most prone to those relentless beatings, according to a report by Risk Based Security (RBS) that will be released Thursday.

According to the study, 99 organizations have been hit by multiple data breaches in 2015 alone (one as many as a dozen times), and 21 of them were in government.

By Risk Based Security's count, over the 10 years they've been collecting breach data, 1,400 organizations have had their records exposed on several occasions. On their list of the Top 10 "Most Breached Organizations of All Time," six are government entities: the U.S. Office of Veteran's Affairs (39 incidents), the U.S. Postal Service (25), the United Kingdom's Ministry of Defense (18), the U.S. Department of Defense (17), the U.S. Army (16), and the Internal Revenue Service (16).

Credit data company Experian holds the unfortunate title of most-breached, with 56 incidents.

The researchers also call out the U.S. Office of Personnel Management, which suffered one of the worst incidents of 2015. This year's breach exposed personal data on 21.5 million current and former federal employees, contractors, job candidates, and employees' relatives. It exposed data from background checks, Social Security numbers, residency history, employment history, family, health, financial history, and 5.6 million fingerprints. But that wasn't the only blemish on OPM's security record. OPM's network was broken into in March 2014, and more data was exposed after credentials had been lifted from a third party. 

Why is government hit so often? Jake Kouns, CISO of RBS, attributes a variety a variety of factors. It's "where the juicy information is right now," the scale of the agencies' environments and assets is "massive," and they have countless vacancies in security positions. "Whether you believe that nation-states are always targeting them or not," he says, "there's some fire where there's smoke."

Government breaches are also, on average, bigger. Government accounted for only 12.3% of incidents, but 23.5% of exposed records -- 232,956 records per incident. Federal agencies were the worst offenders.

Therefore, it's no surprise that when broken down by state (counting the District of Columbia as a state), D.C. claimed the number 2 spot on the list of the sources of most exposed records in the United States. The only state responsible for more exposed records was Indiana, home to the corporate headquarters of Anthem Blue Cross Blue Shield, victim of 2015's largest breach.

"Most government organizations do have a lot of data, so when they have a breach it's going to be catastrophic," Kouns says. 

According to the study, 99 organizations have been hit by multiple data breaches in 2015 alone (one as many as a dozen times), and 21 of them were in government.

Overall, across all sectors, hacking was responsible for 66.3% of breach incidents, and 83.2% of exposed records. Outside attackers committed 78.5% of incidents, accounting for 82.9% of exposed records. Meanwhile, malicious insiders committed 7.3% of incidents, accounting for only 1.0% of records.

The fact that hacking and outsiders are not only the source of the most attacks but the most damaging attacks is noteworthy. It's a shift that Kouns says began began a couple years ago and has accelerated. Once upon a time, there might be loads of outside hackers trying to bang away at your network, but the severe attack would come from "the trusted insider" with malicious intentions. Now the reverse is true.

In the first nine months of 2015, 3006 incidents have been reported, exposing 366 million records. Although that's far fewer records than 2014 numbers, it's more incidents in a nine-month time frame than RBS has ever seen in the 10 years they've been collecting this data.


The good news is that most breaches are quite small. Forty percent expose only 100 records or less. 

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.