Security Firm Rapid 7 has published an interesting analysis on government data breach reported from January 1, 2009 to May 31, 2012. The document present a worrying scenario in which 268 incidents exposed more than 94 million records containing sensible information. This type of incident is really dangerous due the nature of information exposed that could represents the starting point for further attacks. Marcus Carey, security researcher at Rapid7, declared:
“Our analysis puts a spotlight on the need for improved security operations and testing. It also analyzes specifc threats that government entities are facing, because knowing these threats is key to be able to reduce risk.”
In US all states have adopted laws requiring that companies victims of incident to notify information to their customers in order to proper response to the event. Recently, Senate Republicans have introduced draft legislation known as the “Data Security and Breach Notification Act of 2012 (S.3333)” to propose a national recognized procedure to respond to data breaches. Governments networks are privileged targets for several type of attackers, foreign state-sponsored hackers, hacktivists and cyber criminals, and in every cases the principal objective is cyber espionage, are increasing in fact the attacks to expose government information or to steal intellectual properties in critic sectors such as the defense. The Report of Rapid 7 has been published few days after the publication by Symantec of the document on the “Elderwood project” that describe the ongoing impact of cyber espionage operations and attacks part of the famous Op. Aurora.
Despite 2010 was the year with highet number of incidents, the major number of records exposed is related to 2009, in particular in the month of October 2009 76 million US veterans’ personally identifiable information (PII) was exposed after a defective hard drive was sent to a government vendor for repair and recycle before the data was erased.
The Report proposes the division of data breaches in the following categories:
Going in the details of the data proposed by Rapid 7, the number of incidents and reported PII records exposed during the period of observation are:
The data proposed in my opinion demonstrate that this type of incidents could be sensibly reduced with an opportune awareness campaign, as seen a great number of incidents is related to misconduct of users, that not intentionally, apply an adequate protection to their data. Excluding hacking attacks made by foreign governments and cyber criminals that exploit 0-days vulnerabilities, with the definition of best practices and the adoption of a behavior compliance to the current standard in matter of security it is possible to avoid data breach incidents, or at least reduce the number of exposed information. That consideration is an imperative in government environments to avoid dramatic incidents that could expose homeland security.