During another incident in March 2017, hackers gained access to the names, birthdays and Social Security numbers of more than 430,000 people who had used an employment website hosted by the Oklahoma state government.
After suffering a separate attack, the Vermont Department of Labor may have exposed the personal information of more than 180,000 unemployment applicants when a database maintained by a third-party vendor was hacked.
Cybersecurity vulnerabilities aren’t limited to websites and data centers — or government. A recent study by Trend Micro examined exposed devices belonging to six critical infrastructure sectors in the US — including government — and found a large volume of exposed cyber assets from all sectors.
According to the study, “Organizations, especially those considered to be part of critical infrastructure sectors, must always operate on the assumption that they have already been compromised and take steps to both detect and defend against threat actors.”
What’s clear is that cybersecurity is everyone’s responsibility. However, when individuals interact with government at the federal, state and local level, it’s not unusual for them to share personal data such as their names, addresses, Social Security numbers or even credit card information.
But as recent events have shown, the government — just like the private sector — is vulnerable to significant data breaches.
In May 2015, the IRS reported criminals had used taxpayer-specific data acquired from non-IRS sources to gain unauthorized access to information on some 114,000 tax accounts through its “Get Transcript” Application. By February 2016, after some investigation, the agency said it had identified more questionable attempts to obtain transcripts, bringing the total number of taxpayers affected to 724,000.
Data involved in the IRS breach included Social Security numbers, birth dates and street addresses. Attackers “gained sufficient information from an outside source before trying to access the IRS site, which allowed them to clear a multistep authentication process, including several personal verification questions that typically are only known by the taxpayer,” the IRS noted in a statement.
The IRS attack happened the same year the federal government suffered one of the largest data breaches in government history. The Office of Personnel Management (OPM) was the target of a cyberattack aimed at the personal records of as many as 21 million people. Reports on the attack said one of the main contributing factors was the agency’s lack of visibility and control over its IT systems and security vulnerabilities.
In September 2015, the OPM and U.S. Department of Defense announced that investigations showed, among the individuals whose sensitive information was affected by the breach, 5.6 million also had fingerprints stolen. “Federal experts believe that, as of now, the ability to misuse fingerprint data is limited,” the announcement said. “However, this probability could change over time as technology evolves.”
More than 18 months after the breach was first reported, an audit released November 18, 2016, showed that the agency failed to meet Federal Information Security Modernization Act (FISMA) requirements and still had extensive system vulnerabilities.
Data provided to government agencies can potentially be hacked, and individuals need to take this into consideration when providing personal information to the government. Likewise, agencies at all levels of government need to strengthen cybersecurity and adopt solid data management policies to thwart potential attacks.
And while technology solutions are a big part of this, they’re not the only component of a successful security strategy. Government agencies can also boost cybersecurity efforts by working in concert with the private sector to share threat intelligence.
As the cybersecurity threat landscape grows, Federal and state governments need to show the public they are taking data security seriously — so constituents will feel confident that their personal information will be safe.