Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:45 PM
Connect Directly

Federal Government Most Prone To Repeat Breaches

It isn't just the White House that gets compromised more than once. Also, in a shifting trend, malicious insider attacks don't cut quite as deep as outsiders' do, report finds.

After a data breach, some organizations get up and redouble their defenses, while others get kicked while their down, again and again. Government agencies seem to be most prone to those relentless beatings, according to a report by Risk Based Security (RBS) that will be released Thursday.

According to the study, 99 organizations have been hit by multiple data breaches in 2015 alone (one as many as a dozen times), and 21 of them were in government.

By Risk Based Security's count, over the 10 years they've been collecting breach data, 1,400 organizations have had their records exposed on several occasions. On their list of the Top 10 "Most Breached Organizations of All Time," six are government entities: the U.S. Office of Veteran's Affairs (39 incidents), the U.S. Postal Service (25), the United Kingdom's Ministry of Defense (18), the U.S. Department of Defense (17), the U.S. Army (16), and the Internal Revenue Service (16).

Credit data company Experian holds the unfortunate title of most-breached, with 56 incidents.

The researchers also call out the U.S. Office of Personnel Management, which suffered one of the worst incidents of 2015. This year's breach exposed personal data on 21.5 million current and former federal employees, contractors, job candidates, and employees' relatives. It exposed data from background checks, Social Security numbers, residency history, employment history, family, health, financial history, and 5.6 million fingerprints. But that wasn't the only blemish on OPM's security record. OPM's network was broken into in March 2014, and more data was exposed after credentials had been lifted from a third party. 

Why is government hit so often? Jake Kouns, CISO of RBS, attributes a variety a variety of factors. It's "where the juicy information is right now," the scale of the agencies' environments and assets is "massive," and they have countless vacancies in security positions. "Whether you believe that nation-states are always targeting them or not," he says, "there's some fire where there's smoke."

Government breaches are also, on average, bigger. Government accounted for only 12.3% of incidents, but 23.5% of exposed records -- 232,956 records per incident. Federal agencies were the worst offenders.

Therefore, it's no surprise that when broken down by state (counting the District of Columbia as a state), D.C. claimed the number 2 spot on the list of the sources of most exposed records in the United States. The only state responsible for more exposed records was Indiana, home to the corporate headquarters of Anthem Blue Cross Blue Shield, victim of 2015's largest breach.

"Most government organizations do have a lot of data, so when they have a breach it's going to be catastrophic," Kouns says. 

According to the study, 99 organizations have been hit by multiple data breaches in 2015 alone (one as many as a dozen times), and 21 of them were in government.

Overall, across all sectors, hacking was responsible for 66.3% of breach incidents, and 83.2% of exposed records. Outside attackers committed 78.5% of incidents, accounting for 82.9% of exposed records. Meanwhile, malicious insiders committed 7.3% of incidents, accounting for only 1.0% of records.

The fact that hacking and outsiders are not only the source of the most attacks but the most damaging attacks is noteworthy. It's a shift that Kouns says began began a couple years ago and has accelerated. Once upon a time, there might be loads of outside hackers trying to bang away at your network, but the severe attack would come from "the trusted insider" with malicious intentions. Now the reverse is true.

In the first nine months of 2015, 3006 incidents have been reported, exposing 366 million records. Although that's far fewer records than 2014 numbers, it's more incidents in a nine-month time frame than RBS has ever seen in the 10 years they've been collecting this data.


The good news is that most breaches are quite small. Forty percent expose only 100 records or less. 

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "The security team seem to be taking SiegeWare seriously" 
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-12-05
A poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough.
PUBLISHED: 2019-12-05
The Strapi framework before 3.0.0-beta.17.8 is vulnerable to Remote Code Execution in the Install and Uninstall Plugin components of the Admin panel, because it does not sanitize the plugin name, and attackers can inject arbitrary shell commands to be executed by the execa function.
PUBLISHED: 2019-12-05
Exception messages from internal exceptions (like database exception) are wrapped by \Symfony\Component\Security\Core\Exception\AuthenticationServiceException and propagated through the system to UI. Therefore, some internal system information may leak and be visible to the customer. A validation m...
PUBLISHED: 2019-12-05
An Information Disclosure vulnerability exists in the Jasig Project php-pear-CAS 1.2.2 package in the /tmp directory. The Central Authentication Service client library archives the debug logging file in an insecure manner.
PUBLISHED: 2019-12-05
Affected versions of this package are vulnerable to Cross-site Scripting (XSS). It does not properly mitigate against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.toString() backslash...