With new government data breaches being reported on a daily basis, the security of public sector organizations is more important than ever before
Governments have always had secrets. But keeping secrets secret, and private information private, is proving a challenge for the public sector.
As well as state secrets, government departments hold vast troves of data on taxpayers and citizens – from demographic details to criminal records. Add in the tiers of regional and local government, and government agencies, and the scope of personal data in the public sector is vast.
The latest Verizon Data Breach Investigations report found that there were 3,236 public sector data breaches between 2020 and 2021.
Attackers mainly gained a foothold through social engineering, which was responsible for more than 69% of breaches within the industry.
The method was almost solely phishing campaigns sent via email, while the most frequently stolen data type was credentials, which were then used to further the attacker’s presence in the victim’s network and systems.
After credentials, personal information was the top data type compromised where breaches were confirmed in this sector, said Verizon.
A large majority (83%) of threat actors were external, while 17% were internal. As for motivations for carrying out breaches, 96% were for financial gain and 4% were due to espionage.
This is compared to the 2019 Data Breach Investigations Report which found that 16% of breaches were in the public sector, excluding healthcare. This is a slight increase on the 14% of incidents reported five years earlier.
Just as government departments have become better at protecting data, so they are facing increasingly determined and well-resourced adversaries who see government data as a valuable commercial and political target.
And public sector CISOs should take little comfort from any reduction in the scale of government data breaches.
“Amongst my peers many are saying the lack of reporting of any major subsequent public sector breaches is maybe that the adversaries have the information they need. The vampire does not go back,” Brigadier General (Ret’d) Greg Touhill, a former US Federal CISO and board member at ISACA, told The Daily Swig.
The latest government data breaches – in focus
Definitive global data on public sector and government data breaches is hard to come by, as not all territories are covered by laws such as the EU’s General Data Protection Regulation (GDPR), which mandate breach disclosure.
Data that is in the public domain is also contradictory. Surveys of data breaches and hacks suggest that cyber-attacks in the public sector continue to rise, but that large-scale breaches are becoming less common – at least in the West.
Here’s a list of some of the latest and most serious government data breaches in 2019 and 2020:
- French government (September 2021) – A cyber-attack on the government’s ‘France-Visas’ website breached the personal details of individuals looking to visit or emigrate to the country.
- Alaska, US (September 2021) – The Alaska Department of Health and Social Services (DHSS) warned that a “highly sophisticated” cyber-attack exposed residents’ personal data, including financial information.
- West Virginia, US (April 2020) – State government revealed that its Mid Atlantic Career Consortium Employment Services (MACC) database was breached after a cyber-attack on Workforce West Virginia, which has the largest database of job seekers in the state.
- Government of Quebec, Canada (February 2020) – The government of Quebec admitted to a data breach potentially impacting around 360,000 teachers employed in the Canadian province.
- Generate, New Zealand (February 2020) – Generate, a savings scheme provider with links to the New Zealand government, reported a security incident impacting around 26,000 citizens.
- Aurora Water, US (January 2020) – Customers of this Colorado water supplier were the latest victims of a series of attacks on the Click2Gov municipality payment software.
- Jailcore, US (January 2020) – Researchers discovered that Jailcore, a provider of prison services in the US, was leaking data related to 20,000 prison inmates.
- Brazilian government (October 2019) – Details relating to as many as 92 million Brazilian citizens were reported to be on sale on the dark web.
- Sberbank, Russia (October 2019) – Russian police opened a case against an unnamed former employee of the state-owned Sberbank who allegedly confessed to selling the credit card details of 5,000 customers on the dark web.
- Suprema, UK (August 2019) – Private biometric company Suprema, which supplies organizations including London’s Metropolitan Police, exposed a database that included more than one million fingerprints, user names, passwords, and facial recognition data.
- NRA, Bulgaria (July 2019) – Bulgaria’s tax authority was hacked in 2019, with the incident affecting more than five million people. The country’s finance minister admitted that 3% of the agency’s database had been accessed.
- City Power, South Africa (February 2019) – Ransomware hit Johannesburg’s electricity supply, with the state-owned City Power losing access to its customer-facing systems. The incident affected more than 250,000 people.
What classifies as a government data breach?
The scope of government data breaches is wide and varied. Incidents of this nature can impact all tiers of government (national, state or regional, or local), along with many distinct public sector agencies covering areas as diverse as tax, health and safety, environmental protection, the military, police, and the justice system, including courts and jails.
Education is a significant part of the public sector, and education institutions are a common source of breaches, in part because they are relatively small organizations that value their autonomy.
Outside the US, some, if not all, healthcare services fall under the responsibility of the government, and the public sector also extends to areas such as housing and transport. All these agencies will hold sensitive data.
Which government organizations are most at risk from data breaches?
Smaller agencies and local government departments appear to be the most at risk from a data breach. This reflects their smaller budgets and IT security teams. At the other end of the spectrum, SolarWinds found that the military had the strongest security culture and the best training.
Contractors and outsourcers working with the public sector are also a risk. Edward Snowden infamously worked for a contracting firm.
But even sophisticated and well-run public sector bodies are under threat, because of the value of their data. Large, centralized stores of personal records attract hackers; hacktivists and state actors will try to obtain secrets. The case of the Swedish Transportation Agency shows how a combination of poor data security in a smaller agency, outsourcing and the use of contractors exposed some highly sensitive records.
“Each type of government organisation will have its own set of risks, depending on the type of data they handle and services they deliver, as well as their level of maturity in terms of cyber defences,” Amanda Finch, chief executive of the UK’s Chartered Institute of Information Security Professionals told The Daily Swig.
“Local government and healthcare organisations, for example, tend to handle sensitive, personal data but are also working with restricted budgets and have a less mature cybersecurity posture. So they would be an easier target than, say, the military or intelligence organisations.
“Defence, intelligence and higher levels of government that handle top secret and classified information will have much more sophisticated defences in place, making them a much more difficult target.”
Government data breaches can be particularly devastating as they hold a wealth of sensitive information
Which data breach laws apply to governments?
Typically, public bodies face the same sanctions under data protection law as private operations. The UK’s ICO, for example, has been willing to fine public sector bodies, such as the University of Greenwich, which was one of the largest fines pre-GDPR.
There is no block exemption from fines for European public sector bodies under GDPR, although the Irish government did originally plan to do so.
Australia is discussing how its Consumer Data Right will apply in the public sector. The country’s Federal Privacy Act governs both private sector and Commonwealth (national) government agencies, with the states and territories setting out their own laws.
Law firm DLA Piper has a comprehensive database of data protection laws.
What are the common causes of government data breaches?
The breadth and scope of government operations means that almost every attack vector is in play when it comes to data breaches. Common causes of government data breaches can include:
- Data exposure through an insecure API
- Misconfigured cloud storage buckets
- Phishing attacks and compromised email accounts
- Web security exploits such as SQL injection
- Out-of-date software
- Employee oversight, such as sending mass emails without ‘bcc’ function
- Zero-day exploits launched by determined nation-state hackers
Accidental data loss remains a problem for those tasked with tackling government data breaches. This suggests that more training is needed.
Misconfigured cloud storage buckets can result in government data breaches
What is the cost of a government data breach?
The 2018 Ponemon Institute’s Cost of Data Breach Study found that the average public sector data breach cost $2.3 million, or $75 per record. This is significantly less than the $7.9 million and $233 per record attributed to the private sector.
But a like-for-like comparison is not easy. Some public sector data, such as a citizen’s biometric record or details of intelligence agents posted overseas are beyond monetary value.
Against this, public sector bodies have no shareholders and although some, such as universities, will suffer reputational damage after a breach, other agencies are less affected. Executives and politicians might pay with their jobs, but this is hard to convert into a cash sum.
“There are significant differences when dealing with anything in the public sector, namely it has essentially no shame nor reputational branding issues, so the dynamics of accountability are different,” independent security consultant Mark King told The Daily Swig. He adds that a culture of confidentiality means that the public sector is less likely to share lessons learned. This is a hidden cost.
In fact, government data breaches are two-and-a-half times more likely to remain undetected for a year or more than in the private sector. This, in turn, makes it harder for citizens to protect themselves against fraud and identity theft, and for public sector bodies to learn from each other’s mistakes.
“If you ask leaders in the public sector if they have had a significant or material breach, they are 20 percentage points more likely to say they don’t know than their private sector peers,” Kris Lovejoy, EY’s global cybersecurity leader, for advisory, told The Daily Swig.
“It appears that the public sector security officer is much more backward looking, and not as well attuned with what is happening in the business.”
What is the impact of a government data breach?
The impact of a data breach on government and public sector bodies depends on the data they hold, and how far their reputation matters. As yet, we have not seen a government brought down by a data breach, but it could happen. Certainly officials and political leaders are at risk.
The impact of data breaches and other attacks are, though, felt by individuals whose data are exposed, and through the disruption of services. If personal data falls into criminal hands, the impact can affect individuals for a long time, especially if biometric data are lost.
“Credit card data is perishable,” says Greg Touhill. “Healthcare data relates to ID in more ways than you realise. You can’t get a new body or DNA, or biometrics.”
And government data breaches have the potential to disrupt services, through ransomware or manipulation of data, including combining public and private sector sources. If a foreign actor is behind an attack, the consequences could be diplomatic, or even military.
“If you look at stealing roughly half the US population’s credit information [from Equifax] and overlay that with the OPM breach, you have an indication that China is engaged in a large-scale campaign against the US, and its citizens, in the cyber domain,” he says.
Government data breaches have the potential to disrupt municipal services
How should government organizations manage their risks?
Training and user awareness are the most cost-effective and reliable ways to reduce the threats from phishing attacks and accidental data loss. Civilian organizations could take a lead from the military’s security-first approach.
“Public sector security teams are very compliance driven,” says EY’s Lovejoy. “Most CISOs feel it provides the right level of focus and attention, and it is then number one reason they justify their budgets.”
But, she warns, public sector bodies need to go further, and ensure cybersecurity is a core part of digital initiatives.
“What we are seeing, from our research, is that business and cyber teams are not aligned,” Lovejoy said. “The organization is making decisions about e-government or citizen communications. If the cyber team are not engaged, you are more at risk.”
Government bodies also need to invest in security housekeeping such as patch management. A tendency to keep older systems operating for longer increases risk, and public sector CIOs need to balance security against the cost of upgrading or deprecating older systems.
Tools such as data classification will help budgets go further. “If I may quote a dead German general, in the words of Frederic the Great, he who defends everything, defends nothing,” warns Brigadier Touhill.
Information sharing between government departments, and between the public and private sector, is another area where the public sector can improve security, and it is one area where organizations can bolster their defenses against foreign state actors.
“Information sharing was problematic for many years as the public sector always seemed more keen to listen than to share; perhaps this has improved,” says Mark King.
Additional reporting by James Walker.