Rapid7 Finds 268 Data Breaches Exposed More than 94 Million Personally Identifiable Information Records in the Government Sector Over a 3-Year Time Period

Review of breach data shows unintended disclosure, portable devices, physical loss, and hacking are pain points for state and federal agencies

Boston, MA — 9月 6, 2012

Rapid7, the leading provider of security risk intelligence solutions, today announced that an analysis of government breach data shows that the government sector reported 268 incidents of data breaches from January 1, 2009 to May 31, 2012, which exposed more than 94 million records containing personally identifiable information (PII). The analysis, "Rapid7 Report: Data Breaches in the Government Sector" details the number of incidents reported, revealing a 50% increase in the number of compromises affecting the government sector from 2009 to 2010, as well as a skyrocketing rise in the number of records exposed each year, with the number tripling from 2010 to 2011. Unintended disclosure, the loss/theft of portable devices, physical loss, and hacking continue to be the leading causes of breaches.

"Government infrastructure has come under attack from cyberespionage, hacktivism and insider threats. Combine that with a staggering number of cases involving human error and it's clear that the government sector is facing a persistent challenge when it comes to protecting our critical infrastructures, intellectual property, economic data, employee records and other sensitive information," said Marcus Carey, security researcher at Rapid7. "Our analysis puts a spotlight on the need for improved security operations and testing. It also analyzes specifc threats that government entities are facing, because knowing these threats is key to be able to reduce risk."

Analyzing data collected and categorized by the Privacy Rights Clearinghouse Chronology of Data Breaches, which includes information from the Open Security Foundation's DataLossDB, Rapid7 discovered additional details regarding breach incidents and government records that were exposed, including:

  • During the time frame analyzed, 2010 had the highest number of incidents (102), followed by 2011 (82) and 2009 (53). There were 31 cases reported between January 1, 2012 and May 31, 2012.
  • The number of hacking incidents increased nearly 50% year-over-year between 2009 and 2011, with 2012 on pace to more than double that of 2011 entirely.
  • Unintended disclosure was reported as the leading cause of breach incidents in 2009, 2010 and 2011, totaling 69 cases.
  • Between January 1, 2012 and May 31, 2012, government agencies reported more hacking incidents than any other type of incident.
  • California (21), District of Columbia (20) and Texas (16) reported the greatest amount of incidents across the country.
  • Kentucky, Montana, Nevada, North Dakota and South Dakota reported no data breach incidents during the analyzed time frame. Alaska, Delaware, Idaho, New Hampshire, Rhode Island and West Virginia reported one incident each, which exposed fewer than 75,000 records combined. 
  • The number of PII records exposed from 2010 to 2011 increased by 168.69%.
  • The number of PII records exposed from 2011 to May 31, 2012 increased by 138.3%.
  • More than 80.7 million PII records were exposed as a result of the loss, theft or discarding of portable devices. Unintended disclosure (11.7 million+ PII records) and hacking (1.1 million+ PII records) caused the second and third largest amounts of record exposure.
  • There were 14 incidents reported by agencies housing United States veteran PII data, including multiple incidents with the U.S. Department of Veteran Affairs.

About Rapid7

Rapid7 security analytics software and services reduce threat exposure and detect compromise for 3,000 organizations across 78 countries, including over 250 of the Fortune 1000. We understand the attacker better than anyone and build that insight into our solutions to improve risk management and stop threats faster. We offer advanced capabilities for vulnerability management, penetration testing, controls assessment, incident detection and investigation across your assets and users for virtual, mobile, private and public cloud networks. To learn more about Rapid7 or get involved in our threat research, visit www.rapid7.com.

Media Contact