A new Congressional report reveals that the government's data security troubles are worse than previously reported, and that every agency or department has suffered a breach of some kind.
The House Committee on Government Reform commissioned a report asking for information on every breach of data security the government has suffered since Jan. 1, 2003.
The completed report contained 788 incidents of data loss or theft; the dubious honor of most individual incidents went to the Treasury Department, with 340 separate cases of data breaches in the past three years.
The Committee blasted government agencies for not keeping track of data thefts or even knowing what information was lost much of the time.
"In many cases, agencies do not know what information they have, who has access to the information, and what devices containing information have been lost, stolen, or misplaced," the report said.
"In addition, in almost all of the reported cases, Congress and the public would not have learned of each event unless the Committee had requested this information."
The Committee gave the government a mark of "D+" for its yearly information security reports, saying that many agency scores remained low or decreased "precipitously" through 2006.
The report found that the majority of data breaches came from the loss or theft of equipment containing personal data, such as laptop and desktop computers, or personal storage devices.
Outside attacks by hackers or incidents of accidental posting of private data were less common, but contributed to the remainder of total data breach incidents over the three-year-period.
Third-party private contractors took much of the blame for incidents of data loss, as many of the government's information technology functions have been outsourced to outside companies.
The instances of data theft compiled in the report include the following:
• A contractor working for the Department of Education's Federal
Student Aid program lost a package containing personal information on
over 8,000 borrowers, when it elected to ship the data via commercial
transit. The Department never notified any of the borrowers that the
loss occurred.
• A contractor employed by the Department of Homeland Security's
Citizenship and Immigration Services (CIS) division left boxes of
documents containing sensitive personal information by a dumpster. The
documents contained Social Security numbers, completed I-9 forms, and
other personally identifying data.
• The Centers for Medicare and Medicaid Services (CMS) reported the
loss of a laptop containing personal and medical data on nearly 50,000
Medicare beneficiaries in June 2006, when it was stolen from an
employee of a contracting agency working for CMS.
The report was commissioned after the loss of a laptop containing 26.5 million veterans' personal records from the home of an analyst who worked for the Veterans' Administration. The theft remains the benchmark for government-related data breaches, and agencies have scrambled to put new safeguards on access to and storage of data since the theft.
Other examples of recent data breaches from government agencies include the temporary exposure of personal information for 21,000 student loan borrowers on a Web site run by the Department of Education.
Rep. Tom Davis (R-Va.), chairman of the Government Reform Committee, recently authored a bill that would supposedly do more to improve data security practices and enforce better control of equipment. The bill was roundly criticized for not offering much in the way of substantial plans beyond "instituting procedures" in the event of a data breach.
The complete text of the report is available online (.pdf file).
