Earlier this month, the State Department experienced a data breach within its unclassified Microsoft Office 365 cloud-based email service, compromising the personal information of a small number of employees. State Department employees have always been a target for hackers, especially those working for foreign governments (one of the most famous cybersecurity incidents in U.S. government history occurred in late 2014, when the National Security Administration and Russian hackers grappled for control of State Department servers).
While reports say that this most recent breach affected less than 1% of employee inboxes, watchdog reports have consistently requested that the department increase its cybersecurity protections—because even 1% is one too many.
With this latest breach coming to light, let’s look back at 6 of the largest government data breaches (by number of people affected) and review what your organization can do to protect its critical data.
6 of the Biggest Government Data Breaches
1. Georgia Secretary of State Office
A lone systems programmer was deemed responsible for #PeachBreach, considered one of the largest state-government data breaches. In 2015, the employee accidentally mailed out CDs containing the information of over 6 million Georgia voters to 12 groups, including news media organizations and political parties. Needless to say, the programmer was terminated, and the state vowed to enact stricter security protocols.
2. Virginia Department of Health Professions Prescription Monitoring Program
In 2009, hackers broke into this Virginia state site—it tracks prescription drug abuse—and deleted more than 8 million patient records and 35 million prescription records. In their place? A ransom note demanding $10 million for the safe return of the records, and a threat that they would sell the data if denied the ransom. Governor Tim Kaine refused to give into demands, and thankfully there was never any indication that the hackers sold the stolen data.
3. United States Office of Personnel Management (OPM)
Essentially the Human Resources department of the U.S. federal government, the OPM is responsible for managing the employee and contractor employment records. In 2009, a security engineer discovered a piece of malware disguised as McAfee security software hidden within their system. This find resulted in a massive investigation that turned up over 2,000 individual pieces of malware—everything from routine adware to dormant viruses. An estimated 21.5 million people were affected because the data was not encrypted at the time of the breach.
4. United States Department of Veteran Affairs
In 2006, the private information of over 26 million veterans, including names, date of birth, and social security numbers, was compromised—all due to one lost laptop. This resulted in a class-action lawsuit, and in 2009, Veteran Affairs paid out $20 million to settle.
5. National Archives and Records Administration (NARA)
While it may not have received a lot of attention at the time, a 2009 incident at NARA exposed the personal information of over 75 million servicemen. The result of human error, a NARA employee sent a hard drive containing the data to an IT contractor for repair without first wiping the drive clean.
6. United States Voter Database
The largest government data breach to date occurred in 2015, when a database of over 190 million voters across the country was exposed. The database held names, birthdates, party affiliations, emails, addresses, and more. Which hacker group was behind the attack? There wasn’t one. The database was incorrectly configured and placed on the internet, again the result of human error.
6 Ways to Protect Your Data
1. Educate Employees
In many of the scenarios above, human error was to blame. Employee education cannot be stressed enough. Training employees on security measures like how to treat suspicious emails and links, and what a secure password looks like, can help keep your organizations sensitive information secure.
2. Install Encryption Software
Lost and stolen devices can be very damaging if they get into the wrong hands, as illustrated by the United States Department of Veteran Affairs story above. Lessen the risk with whole-disk encryption software, which bars access to data by unauthorized users. Also, install remote-wipe apps on all mobile devices so data can be easily erased if the device goes missing.
3. Employ Content Scanning, Filters, and Antivirus
Don’t rely on a “human firewall.” A scanner or filter on mail servers will check for known threats within inbound emails and block any attachments that could be dangerous. Also, be sure AV is current across all endpoints. It’s not impenetrable, as malware is always evolving, but it is a solid first line of defense.
4. Update and Backup Regularly
Regular updates help maintain the integrity of your systems and install patches that eliminate weaknesses that malware aims to exploit. Plus, a daily backup of important data gives attackers a lot less leverage; rather than pay up, victims can restore previously saved data with minimal loss (learn about the 3-2-1 backup strategy).
5. Purchase Cyber Insurance
These policies generally cover your business’ liability for breaches involving customer information such as Social Security, credit card, and driver’s license numbers, in addition to health information.
6. Work with a Cloud Services Provider
Managing IT can be a burden, especially for government agencies that need to meet the highest levels of security and compliance. A reputable managed cloud services provider can help maintain and monitor the security of your data, and assist in recovery in the event of an attack or breach. Learn more about CJIS compliance in our recent story: CJIS Compliance in the Cloud: What You Need to Know.
The G-Cloud: Powering Florida’s Government Agencies
If you’re considering migrating your data to the cloud, consider DSM’s G-Cloud. G-Cloud is the first—and only—Florida-based VPC solution designed for national, state, regional, and local government agencies. We ensure strict security protocols, 99.99%+ uptime, and a complete compliance package; meeting the requirements for CJIS, HIPPA, PCI, SOC, and SSAE16. Even better? DSM’s G-Cloud is now available for purchase through the GSA contract. Learn more about the G-Cloud difference and the GSA advantage here, or contact one of our IT experts today for a free consultation.