Loss of personal data at U.S. government agencies is all too common, according to a report released by the House Government Reform Committee.
According to the report 19 federal agencies have reported at least one loss of personally identifiable information since January 2003. In addition, those agencies don’t always know what information has been lost or how many people could be affected because they aren’t tracking those losses, the report said.
“For example, the Department of Justice reports that, prior to the May 2006 Veterans Administration data breach, ‘the department did not track the content of lost, stolen, or otherwise compromised devices,’ ” the report stated.
Only a small number of the data breaches were caused by hackers breaking into computer systems, the report said. Most of the data losses stemmed from the theft of laptops, drives and disks, as well as unauthorized use of the information by employees, the report said. Contractors were also responsible for many of the reported breaches, the report said.
The Department of Agriculture told the committee that it had had eight incidents involving the loss or compromise of sensitive personal information since Jan. 1, 2003.
Those incidents include an e-mail that was sent to 1,537 individuals on Dec. 17, 2004 that contained, as an attachment, a database containing the Social Security numbers and other personal information of those 1,537 individuals. In response to the incident, the department sent a letter of apology to all of the individuals involved and developed additional security training.
On Feb. 24, 2005, a system containing research data was compromised by someone cracking a password or a user account and installing hacking software, the report said. The department said no information was compromised, but the intruder had read/write access to the server and was able to open access points. In response, the department disabled the log-in account that was cracked and limited access to the building.
The Department of Commerce reported 297 incidents involving the loss or compromise of personal information, the report said. The department said 217 laptops containing sensitive data have been lost, stolen or misplaced. In a separate briefing, the department told members of Congress that since 2001, 1,137 laptops have been stolen, lost or reported missing, according to the report. There is no indication of what steps the department has taken to prevent similar incidents.
The Department of Defense said it had 43 incidents involving the loss or compromise of personal data. For example, on April 5, the department said hackers stole data from its Tricare Management Activity system, including personal data on approximately 14,000 active duty and retired service members and dependents, according to the report. In response to the incident, affected members were notified and new security measures were implemented.
The Department of the Treasury confirmed 340 incidents involving the loss or compromise or sensitive personal information since Jan. 1, 2003. In 336 of those cases, the department couldn’t say how many people had been affected, whether those people had been notified or whether any action had been taken to prevent further loss or compromise of its data, the report said.
“Taken as a whole, the agency reports outline hundreds of instances of data breaches involving sensitive personal information since January 1, 2003,” the report said. “The reports show a wide range of incidents, involving employee carelessness, contractor misconduct, and third-party thefts.”
The number of individuals affected in each incident ranges from one to millions, but in many cases the agencies don’t know what information was lost or how many individuals potentially could be affected, the report said. Only a few of these incidents have been reported publicly, and it’s unclear in many cases whether affected individuals have been notified or whether remedial action has been taken, according to the report.
“Data held by federal agencies remains at risk,” the report concluded.