Share

Watchdog: Accountability

GAO says eight federal agencies fail to fix data breach problems

By |
Watchdog,OMB,Kelly Cohen,Waste and Fraud,Accountability,GAO,Computer hacking,Cybersecurity,Technology

Federal agencies that put valuable personal information at risk are doing too little to address the problem, according to the U.S. Government Accountability Office.

Eight federal agencies have the means to deal with "data breaches," in which personally identifiable information is taken, yet fail to consistently use them.

Data breaches can occur in many ways, according to GAO, including the simple loss of a physical document to hacking by sophisticated cybercriminals.

A loss of such data can lead to serious issues, such as "identity theft or other fraudulent activity," the audit said.

Personally identifiable information is any information that can be used to find someone, such as a Social Security number, home address or medical history data.

GAO said the poor performance by the eight agencies is linked to poor guidance they received from the U.S. Office of Management and Budget.

Seven of the eight agencies failed to "assess the likely risk of harm and level of impact of a suspected data breach in order to determine whether notification to affected individuals is needed" because of poor OMB directions.

None of the agencies reviewed by the GAO "consistently documented the evaluation of incidents and resulting lessons learned."

There were almost 7,000 more data breaches in 2012 than in 2011, despite numerous warnings from GAO.

The first red flag was a May 2006 breach at the Department of Veterans Affairs, when information and data of an estimated 26.5 million current and former military members was taken.

Other federal agencies failed to learn from this breach, according to GAO, which pointed to a February 2009 breach at the Federal Aviation Administration, a March 2012 breach at the National Aeronautics and Space Administration and a May 2012 cyber attack at the Federal Retirement Thrift Investment Board.

The eight agencies reviewed were the Centers for Medicare & Medicaid Services, departments of the Army and Veterans Affairs, Federal Deposit Insurance Corp., Federal Reserve, Federal Retirement Thrift Investment Board, Internal Revenue Service, and Securities and Exchange Commission.

GAO picked these specific agencies to review based on overall size, the amount of personal information and data they possess, and the number of data breaches they have annually.

A survey conducted for GAO by a third party found the average per-capita cost of a data breach for U.S. companies was $188 per comprised record in 2012.

"Without more specific guidance on addressing and documenting lessons learned, these agencies are at risk of experiencing similar data breaches in the future and possibly suffering adverse effects that might have been prevented," GAO said.

View article comments Leave a comment
Author:

Kelly Cohen

Staff Writer
The Washington Examiner