7:05 AM, Apr 3, 2014 • By JERYL BIER
Millions of individuals who recently entrusted personal, medical, and financial information to the federal government while enrolling in Obamacare via Healthcare.gov may find a recent trend reported by the Government Accountability Office (GAO) rather unsettling. The number of security breaches involving Personally Identifiable Information (PII) at federal agencies more than doubled in recent years, increasing from 10,481 in 2009 to 25,566 in 2013. Perhaps even more disturbing, the GOA found that "none of the seven agencies [in a related study] consistently documented lessons learned from PII breaches."
A graph accompanying the GAO report illustrates the dramatic and consistent upward trend in PII-related breaches over the last several years:
A data breach may consist of something as simple as mailing documents containing PII to the wrong recipient, but also includes incidents involving massive loss of sensitive data as illustrated by these examples in the report:
- [I]n May 2006, the Department of Veterans Affairs (VA) reported that computer equipment containing PII on about 26.5 million veterans and active duty members of the military was stolen from the home of a VA employee.
- In July 2013, hackers stole a variety of PII on more than 104,000 individuals from a Department of Energy system. Types of data stolen included Social Security numbers, birth dates and locations, bank account numbers and security questions and answers...
- In May 2012, the Federal Retirement Thrift Investment Board (FRTIB) reported a sophisticated cyber attack on the computer of a contractor that provided services to the Thrift Savings Plan. As a result of the attack, PII associated with approximately 123,000 plan participants was accessed. According to FRTIB, the information included 43,587 individuals' names, addresses, and Social Security numbers, and 79,614 individuals' Social Security numbers and other PII-related information.
While the increasing number of incidents is concerning, the GAO also found that "agencies have had mixed results in addressing" information security "and most agencies had weaknesses in implementing specific security controls." An earlier GAO report in December 2013 covered the responses to PII data breaches of seven federal agencies, including the IRS; the Centers for Medicare and Medicaid Services (CMS), the agency charged with implementing and running Obamacare; and the Veterans Administration (VA). That report found agency responses broadly inconsistent. For example:
- only one of seven agencies reviewed had documented both an assigned risk level and how that level was determined for PII data breaches
- only two agencies documented the number of affected individuals for each incident
- only two agencies notified affected individuals for all high-risk breaches
- the seven agencies did not consistently offer credit monitoring to affected individuals
- none of the seven agencies consistently documented lessons learned from their breach responses
The GAO report also gives a preview of an upcoming report specifically on cybersecurity at federal agencies, and preliminary results are not encouraging. The GAO has found effective and consistent response to cyber incidents in only about 35% of cases:
While these results are still subject to revision, we estimate, based on a statistical sample of cyber incidents reported in fiscal year 2012, that the 24 major federal agencies did not effectively or consistently demonstrate actions taken in response to a detected cyber incident in about 65 percent of reported incidents.
The full GAO report on cybersecurity will be completed and issued later this spring.
7:01 AM, Mar 10, 2014 • By JERYL BIER
Less than a month after the exposure of a widespread vulnerability on government "open data" websites, another perhaps even more insidious opening for abuse of government websites has come to light.
8:07 AM, Feb 20, 2014 • By JERYL BIER
At first glance, a page on the Health and Human Services (HHS) website seems to be giving that agency's official advice on the "The Health Benefits of Nootropics," a classification of purportedly memory-enhancing drugs. The page is found on the website's subdomain of the Assistant Secretary for Planning and Evaluation (ASPE) as part of the Health System Measurement Project.
10:07 AM, Jan 19, 2014 • By DANIEL HALPER
According to a cyber security expert, security for the Obamacare website, Healthcare.gov, is "much worse off" now than before:
1:23 PM, Oct 4, 2013 • By JERYL BIER
A portion of the website of the Substance Abuse and Mental Health Services Administration (SAMHSA) was apparently hacked as long as two months ago. SAMHSA is an agency of the Department of Health and Human Services (HHS). HHS also runs the new Obamacare insurance marketplace, Healthcare.gov.
11:02 AM, Aug 27, 2013 • By DANIEL HALPER
Senator Mary Landrieu, a Democrat from Louisiana, is making the case that some "cyber" jobs need to be moved away from the Washington, D.C. area -- and to Louisiana, where those people might be physically safer.
“Those jobs can’t all be based inside Washington, D.C., and Arlington, Va.,” she explained to a local paper. "Some of those jobs need to be located outside the blast zone."
Landrieu did not explain what blasts she expects to hit the Washington, D.C. area, or when those blasts might hit.
12:00 AM, Jun 15, 2013 • By IRWIN M. STELZER
Chinese president Xi Jinping and U.S. President Barack Obama doffed their ties, rolled up their sleeves (well, at least Obama did), and even took the now-obligatory stroll around the Sunnylands Estate in Rancho Mirage, California, in the manner of Eisenhower and Khrushchev at Camp David, and Reagan and Gorbachev in Switzerland. This enabled the leaders to “establish and deepen their personal relationship,” according to Tom Donilon, Obama’s national security adviser at the time of the meeting.
10:32 AM, Jun 3, 2013 • By KEN JENSEN
Over the past few weeks things cyber have blown up in our faces once again. While some of the media noticed, the gist of the reporting was on who was doing what to us now, not the growing scandal of our essentially supine reaction to it.
11:11 AM, Jun 1, 2013 • By DANIEL HALPER
Defense Secretary Chuck Hagel had some words about the cyber threat from China while speaking today in Singapore. But a Chinese general, in the room for the speech, immediately responded by saying, "China is not convinced."
"Even as we seek to uphold principles in well-established areas, we must also recognize the need for common rules of the road in new domains," Hagel said, according to an official transcript of his remarks.
1:21 PM, May 13, 2013 • By KEN JENSEN
On May 6, the media was full of warnings about an immediately pending cyberattack called “OpUSA.” Homeland Security said “The attacks will likely result in limited disruptions and mostly consistent of nuisance-level attacks against publicly accessible web pages and possibly data exploitation.”
9:07 AM, Mar 8, 2013 • By KEN JENSEN
Since the hacking of the New York Times, the Wall Street Journal, the Washington Post, etc., and the Mandiant revelations about China’s PLA Unit 61398, the media and Internet have exploded with talk of our reaching a “tipping point” in cybersecurity (or not, depending on the point of view). We’re, in fact, long past the “tipping point”: what Mandiant had to say about Chinese hacking was actually old news to those who follow things cyber.
9:16 PM, Feb 12, 2013 • By DANIEL HALPER
At tonight's State of the Union Address, President Obama will announce that he has signed a cyber security executive order.
Webcraft as spycraft.Jun 11, 2012, Vol. 17, No. 37 • By JONATHAN V. LAST
Last April, the Iranian Oil Ministry and the National Iranian Oil Company noticed a problem with some of their computers: A small number of machines were spontaneously erasing themselves. Spooked by the recent Stuxnet attack, which had wrecked centrifuges in their nuclear labs, the Iranians suspected a piece of computer malware was to blame. They went to the United Nations’ International Telecommunications Union and asked for help.