Gov’t Breaks Record for Number of Data Breaches in 2013

25,566 incidents of lost taxpayer data, Social Security numbers, patient health information

• April 3, 2014 3:55 pm


The federal government set another record for the number of data breaches last year, revealing the sensitive personal information of thousands of Americans.

The Government Accountability Office (GAO) said on Wednesday there were 25,566 "information security incidents" in 2013, up from a previous record of 22,156.

Breaches involving personally identifiable information (PII) at the federal level have more than doubled over the last several years, the GAO said, up from 10,481 in 2009.

The amount of incidents surged in 2012, after only experiencing 15,584 in 2011.

The figures were revealed in testimony from Gregory C. Wilshusen, director of information security issues at GAO, in a hearing before the Senate Committee on Homeland Security and Governmental Affairs.

"As you know, in carrying out its responsibilities the federal government collects large quantities of PII, such as taxpayer data, census data, Social Security information, and patient health information, on American citizens and other residents of our nation," Wilshusen said. "Consequently, it is critical that federal agencies take steps to secure the information they collect, retain, and disseminate and that, when events such as data breaches occur, they respond swiftly and appropriately."

Wilshusen said the government’s response to data breaches has been "inconsistent" and needs improvement

The GAO categorizes data breaches as inadvertent, such as the loss of a computer, or deliberate, defined as "cyber-based attacks by a malicious individual or group, foreign nation, terrorist, or other adversary."

Wilshusen said that many of the security breaches involved PII and offered Congress a breakdown of the types of incidents in 2013.

Of the 25,566 incidents 25 percent were "non-cyber," 19 percent involved a "policy violation," 16 percent were a result of "malicious code," and 5 percent were due to "suspicious network activity."

The testimony also revealed that 24 major federal agencies have weaknesses in "security management" and "contingency planning."

The GAO previously found that the Department of Veterans Affairs, Centers for Medicare and Medicaid Services (CMS), and the Internal Revenue Service (IRS) had higher rates of data breaches than other agencies.

Wilshusen cited a cyber breach at the Department of Energy last July where 104,179 employees had their Social Security and bank account numbers stolen "with relative ease," to warn of the consequences of lax security.

That breach alone could cost the government more than $3.7 million in costs related to assisting those affected and in lost productivity, he said.