Federal Government Most Prone To Repeat Breaches

After a data breach, some organizations get up and redouble their defenses, while others get kicked while their down, again and again. Government agencies seem to be most prone to those relentless beatings, according to a report by Risk Based Security (RBS) that will be released Thursday.

According to the study, 99 organizations have been hit by multiple data breaches in 2015 alone (one as many as a dozen times), and 21 of them were in government.

By Risk Based Security's count, over the 10 years they've been collecting breach data, 1,400 organizations have had their records exposed on several occasions. On their list of the Top 10 "Most Breached Organizations of All Time," six are government entities: the U.S. Office of Veteran's Affairs (39 incidents), the U.S. Postal Service (25), the United Kingdom's Ministry of Defense (18), the U.S. Department of Defense (17), the U.S. Army (16), and the Internal Revenue Service (16).

Credit data company Experian holds the unfortunate title of most-breached, with 56 incidents.

The researchers also call out the U.S. Office of Personnel Management, which suffered one of the worst incidents of 2015. This year's breach exposed personal data on 21.5 million current and former federal employees, contractors, job candidates, and employees' relatives. It exposed data from background checks, Social Security numbers, residency history, employment history, family, health, financial history, and 5.6 million fingerprints. But that wasn't the only blemish on OPM's security record. OPM's network was broken into in March 2014, and more data was exposed after credentials had been lifted from a third party. 

Why is government hit so often? Jake Kouns, CISO of RBS, attributes a variety a variety of factors. It's "where the juicy information is right now," the scale of the agencies' environments and assets is "massive," and they have countless vacancies in security positions. "Whether you believe that nation-states are always targeting them or not," he says, "there's some fire where there's smoke."

Government breaches are also, on average, bigger. Government accounted for only 12.3% of incidents, but 23.5% of exposed records -- 232,956 records per incident. Federal agencies were the worst offenders.

Therefore, it's no surprise that when broken down by state (counting the District of Columbia as a state), D.C. claimed the number 2 spot on the list of the sources of most exposed records in the United States. The only state responsible for more exposed records was Indiana, home to the corporate headquarters of Anthem Blue Cross Blue Shield, victim of 2015's largest breach.

"Most government organizations do have a lot of data, so when they have a breach it's going to be catastrophic," Kouns says. 

According to the study, 99 organizations have been hit by multiple data breaches in 2015 alone (one as many as a dozen times), and 21 of them were in government.

Overall, across all sectors, hacking was responsible for 66.3% of breach incidents, and 83.2% of exposed records. Outside attackers committed 78.5% of incidents, accounting for 82.9% of exposed records. Meanwhile, malicious insiders committed 7.3% of incidents, accounting for only 1.0% of records.

The fact that hacking and outsiders are not only the source of the most attacks but the most damaging attacks is noteworthy. It's a shift that Kouns says began began a couple years ago and has accelerated. Once upon a time, there might be loads of outside hackers trying to bang away at your network, but the severe attack would come from "the trusted insider" with malicious intentions. Now the reverse is true.

In the first nine months of 2015, 3006 incidents have been reported, exposing 366 million records. Although that's far fewer records than 2014 numbers, it's more incidents in a nine-month time frame than RBS has ever seen in the 10 years they've been collecting this data.

The good news is that most breaches are quite small. Forty percent expose only 100 records or less.