Home > 2012 > Identity Theft

94 Million Exposed: The Government’s Epic Fail on Privacy

Advertiser Disclosure Comments 0 Comments

When you hear a number like “94 million” in the news, it’s usually because somebody won the lottery. This time around, no such luck. This 94 million is the number of Americans’ files in which personal information has been exposed, since 2009, to potential identity theft through data breaches at government agencies. Go ahead, count the zeroes: 94,000,000. That’s like releasing the personal data of every man, woman and child in California, Texas, New York, and Ohio.

Believe it or not, this number — which was just revealed in the latest report from tech security firm Rapid7 — is only the most conservative estimate. When you take into account the difference between reported data breaches, which is what this report measures, and actual incidents, you are talking about a much, much bigger number. As bad as the numbers are, it gets worse. Much worse. Indeed, the biggest threat doesn’t come from smart hackers — it comes from dumb politicians and bureaucrats.

First, let’s consider the scope: The newly released Rapid7 report is based on the list of data breaches compiled by the Privacy Rights Clearinghouse, a nonprofit privacy advocacy group (and remember, we’re only talking about the last three years). According to Rapid7’s analysis, government agencies at the local, state and federal level are becoming infinitely more proficient at exposing our personal data, putting more and more of it at risk with each passing year. Government agencies reported that they exposed 1.5 million records containing personally identifiable information (you know, the sensitive stuff: your name, your address, your phone number…) in all of 2010. The following year that total more than doubled, to 4 million. (If you’re worried that you’re a victim, read this.)

So far this year, government agencies have more than doubled their totals from last year, reaching 9.6 million in just the first five months of 2012. Who knows where we’ll be by the end of the year — or how many innocent people will be exposed to fraud and identity theft due to the negligence of government employees or third-party vendors?

And remember, these are just the breaches we know about. In some states, government agencies are not legally required to publicly report data breaches, or to notify potential victims that their personal information has been exposed. To take one little-known example, local governments in California are exempted from that state’s breach notification law — “a big exception, in my opinion,” as Clearinghouse founder and director Beth Givens told us, since local governments “compile a great deal of personal information.” Furthermore, out of 268 breach incidents reported since 2009, the 67 of the public agencies responsible (and I use that term loosely) couldn’t even figure out how many records were lost. That fact alone will tell anyone with basic math skills and a lick of common sense that this epidemic is much worse than we know.

What’s even more astonishing than the total number of personal records breached is how the databases were compromised in the first place. Despite what news reports, urban legend, and simple logic might lead you to believe, sophisticated, premeditated attacks by hackers accounted for only 40 breaches since 2009, a mere 15 percent of the total.

Plain and simple stupidity and negligence caused most of the rest. In 78 of the breach incidents, government employees inadvertently disclosed citizens’ private information by posting it on a public website or sending it to the wrong people. Loss of physical, paper documents — not digital ones — accounted for another 46 data breaches. In 51 of the cases, government bureaucrats lost our private data by losing track of a portable device such as a laptop, smartphone, hard drive or back-up tape. A few of the breaches took place after these rocket scientists left a device filled with our PII inside an unlocked car.

Of the many screw-ups detailed in this report, that last one is the one that lights my fire. What Neanderthal (with all due respect to the GEICO cavemen) leaves a laptop sitting in the back of an unlocked car — especially a laptop containing the private records of thousands of citizens? What form of bureaucratic insanity allows this to keep happening, over and over and over again?

While the Rapid7 report phrases its description in less incendiary terms, the facts are still damning: “Government agencies are facing an increase in data breaches as a result of cyber attacks, weaknesses in federal information security controls, and poor best practices for protecting data on portable devices.”

“Poor best practices,” indeed.

Meanwhile, other branches of government are busy exacerbating the problem. Based on all the grandstanding by Republican officials about the need to rein in an unaccountable federal bureaucracy and get tough on national security, I expected GOP lawmakers to quickly pass the 2012 Cybersecurity bill, which would have required all organizations that run the nation’s critical infrastructure (think nuclear power plants, water supply systems and roads) to meet certain basic standards that would help defend them against hacker attacks. But Republicans were so myopically focused on preventing President Obama from achieving even the slightest legislative victory in this do-or-die election year that they almost unanimously opposed the bill, even after the Democrats caved entirely by offering to make the bill’s provisions voluntary.

How are we ever going to convince government agencies to take information security seriously when their own bosses in Congress treat our data and our most valuable infrastructure like just another pawn in a never-ending chess match for power?

Here’s the bottom line. We hear a lot of genuine, well-grounded concern about the growing number and sophistication of hacker attacks. But based on the information contained in this report, while hackers are partially to blame, the sad truth is that our own government’s security policies — or lack thereof — have put us all at risk.

Too many bureaucrats are losing track of too much of our data, and their oops! moments are being magnified by civil servants who consistently fail to implement the necessary access controls, encryption, physical security, and performance audits required to comply with the law and keep citizens’ private data private, according to a recent study by the Government Accountability Office.

We’ve known for quite some time that government agencies have turned their horrible privacy practices into an art form. The GAO’s report found that out of 24 major government agencies, 18 had inadequate information security controls. Of those, eight federal agencies got failing grades when it came to implementing the 2002 Federal Information Security Management Act. (Ah well, a decade is on par with Congressional Standard Time.) Those agencies included the Department of Veterans Affairs and the Department of Health and Human Services, each of which have met just over 50 percent of the law’s requirements.

Terrified yet? As the agencies responsible for running some of the government’s largest entitlement programs, the VA and Health and Human Services retain deeply private, unspeakably sensitive information on millions of Americans. The VA’s terrible performance shows that so far it has failed to learn its lesson on privacy, since this is the agency responsible for one of the largest government data breaches in history — a 2009 incident in which the VA lost a hard drive containing the names and Social Security numbers of tens of millions of veterans.

Combine that with the fact that hacking is on the rise. Only four government data breaches were caused by hackers in 2009, according to the Rapid7 report. By 2011, the total had grown to 18, and there were another 11 breaches perpetrated by hackers in the first five months of 2012. Those numbers will continue to increase — and why wouldn’t they? The government’s own metrics show that the “sophisticated” computer defenses of many federal agencies are on a par with the blundering army of archers defending the fictional European country in the 1959 Peter Sellers movie, “The Mouse That Roared.” Judging by appearances, mining those computers for all the private data they hold is about as daunting to a professional hacker as a child’s piggy bank would be to a professional safe cracker.

Mailing a USB drive brimming with names and Social Security numbers to the wrong person, failing to delete data from discarded drives — the list of governmental idiocies is long. And all of these unforced errors by incompetent or untrained pencil-pushers are like waving a red flag at a herd of very aggressive bulls — in this case, a herd of hackers. The difference is, when those bulls charge, it’s not the bureaucrats who get skewered. It’s you and me: American taxpayers who have been forced to hand over to the government all of our private information — names, addresses, phone numbers, Social Security numbers — just to take care of the basics (pay our taxes, receive our Medicare benefits, even register to vote).

Unfortunately, the bureaucrats seem to be unable to fix this mess. That means it’s up to us. What should we do?

First, let’s put some teeth into the law. The Information Security Management Act is ridiculous. Agencies are reviewed regularly for compliance, but what happens when they fail to comply? They receive a very stern talking-to from the GAO. They might even get written up in a report using words like “vulnerable” and “weak.”

Give me a break. We need nationally mandated security protocols, backed by a law that imposes serious sanctions on offending agencies and the bureaucrats who run them.

Low-level bureaucrats who leave unencrypted laptops in unlocked cars should be suspended without pay for meaningful periods of time. High-level bureaucrats who fail to improve their computer security safeguards in compliance with the law should at the very least be fired. In the case of actual data breaches, firing isn’t enough. Depending on the level of negligence, it’s not unreasonable that the bureaucrat should stand trial; if they are convicted of negligence and enabling fraud, they should arguably go to jail.

Second, instead of simply playing defense on data security, we need government to aggressively play offense. The federal government already spends $13.3 billion a year to secure its computer systems and bring federal agencies into compliance with the 2002 Information Security Management Act, according to a report published in March by the Office of Management and Budget. That’s 18 percent of everything those agencies spend on information technology.

However, a security system is only as good as its weakest link — people. Among a host of other initiatives, the government needs to better monitor the systems they have in place, develop effective breach response programs, and pro-actively train people to think security 24/7.

Here’s the point: It’s not just about punishing bad behavior. We must incentivize good behavior and inculcate best practices. Many Federal agencies have good rules in place, unfortunately, not enough are striving to meet them and several could strive a whole lot harder.

Finally, we, the people — the ones government is supposed to protect — need to get fired up and take action. While Federal agencies tend to ignore complaints from individual citizens, they do take complaints from members of Congress very seriously (since enough angry senators could cause an agency major tsouris when budget season comes around). If you are one of the millions of citizens whose information was improperly exposed, and received a notice from a federal agency to that effect, don’t just stand there, do something about it.

Letters to senators — good old fashioned snail-mail, handwritten missives — get noticed. Groups of seniors or veterans or Medicare patients showing up on a Congressman’s office doorstep get noticed. Blog articles that help track identity-related fraud get noticed.

Whatever your skill and whatever your interest, you have something to add to this fight. And if you’re an American taxpayer, you probably have something to gain from it. Rapid7’s report shows that federal bureaucrats still don’t take seriously their responsibility to protect our privacy. It’s high time for us to target the things they do take seriously: their budgets, their jobs, and their freedom.

Image: Don Hankins, via Flickr

Comments on articles and responses to those comments are not provided or commissioned by a bank advertiser. Responses have not been reviewed, approved or otherwise endorsed by a bank advertiser. It is not a bank advertiser's responsibility to ensure all posts and/or questions are answered.

Please note that our comments are moderated, so it may take a little time before you see them on the page. Thanks for your patience.

Certain credit cards and other financial products mentioned in this and other articles on Credit.com News & Advice may also be offered through Credit.com product pages, and Credit.com will be compensated if our users apply for and ultimately sign up for any of these cards or products. However, this relationship does not result in any preferential editorial treatment.

Hello, Reader!

Thanks for checking out Credit.com. We hope you find the site and the journalism we produce useful. We wanted to take some time to tell you a bit about ourselves.

Our People

The Credit.com editorial team is staffed by a team of editors and reporters, each with many years of financial reporting experience. We’ve worked for places like the New York Times, American Banker, Frontline, TheStreet.com, Business Insider, ABC News, NBC News, CNBC and many others. We also employ a few freelancers and more than 50 contributors (these are typically subject matter experts from the worlds of finance, academia, politics, business and elsewhere).

Our Reporting

We take great pains to ensure that the articles, video and graphics you see on Credit.com are thoroughly reported and fact-checked. Each story is read by two separate editors, and we adhere to the highest editorial standards. We’re not perfect, however, and if you see something that you think is wrong, please email us at editorial team [at] credit [dot] com,

The Credit.com editorial team is committed to providing our readers and viewers with sound, well-reported and understandable information designed to inform and empower. We won’t tell you what to do. We will, however, do our best to explain the consequences of various actions, thereby arming you with the information you need to make decisions that are in your best interests. We also write about things relating to money and finance we think are interesting and want to share.

In addition to appearing on Credit.com, our articles are syndicated to dozens of other news sites. We have more than 100 partners, including MSN, ABC News, CBS News, Yahoo, Marketwatch, Scripps, Money Magazine and many others. This network operates similarly to the Associated Press or Reuters, except we focus almost exclusively on issues relating to personal finance. These are not advertorial or paid placements, rather we provide these articles to our partners in most cases for free. These relationships create more awareness of Credit.com in general and they result in more traffic to us as well.

Our Business Model

Credit.com’s journalism is largely supported by an e-commerce business model. Rather than rely on revenue from display ad impressions, Credit.com maintains a financial marketplace separate from its editorial pages. When someone navigates to those pages, and applies for a credit card, for example, Credit.com will get paid what is essentially a finder’s fee if that person ends up getting the card. That doesn’t mean, however, that our editorial decisions are informed by the products available in our marketplace. The editorial team chooses what to write about and how to write about it independently of the decisions and priorities of the business side of the company. In fact, we maintain a strict and important firewall between the editorial and business departments. Our mission as journalists is to serve the reader, not the advertiser. In that sense, we are no different from any other news organization that is supported by ad revenue.

Visitors to Credit.com are also able to register for a free Credit.com account, which gives them access to a tool called The Credit Report Card. This tool provides users with two free credit scores and a breakdown of the information in their Experian credit report, updated twice monthly. Again, this tool is entirely free, and we mention that frequently in our articles, because we think that it’s a good thing for users to have access to data like this. Separate from its educational value, there is also a business angle to the Credit Report Card. Registered users can be matched with products and services for which they are most likely to qualify. In other words, if you register and you find that your credit is less than stellar, Credit.com won’t recommend a high-end platinum credit card that requires an excellent credit score You’d likely get rejected, and that’s no good for you or Credit.com. You’d be no closer to getting a product you need, there’d be a wasted inquiry on your credit report, and Credit.com wouldn’t get paid. These are essentially what are commonly referred to as "targeted ads" in the world of the Internet. Despite all of this, however, even if you never apply for any product, the Credit Report Card will remain free, and none of this will impact how the editorial team reports on credit and credit scores.

Our Owners

Credit.com is owned by Progrexion Holdings Inc. which is the owner and administrator of a number of business related to credit and credit repair, including CreditRepair.com, and eFolks. In addition, Progrexion also provides services to Lexington Law Firm as a third party provider. Despite being owned by Progrexion, it is not the role of the Credit.com editorial team to advocate the use of the company’s other services. In articles, reporters may mention credit repair as an option, for example, but we’ll also be sure to note the various alternatives to that service. Furthermore, you may see ads for credit repair services on Credit.com, but the editorial team isn’t responsible for the creation or implementation of those ads, anymore than reporters for the New York Times or Washington Post are responsible for the ads on their sites.

Your Stories

Lastly, much of what we do is informed by our own experiences as well as the experiences of our readers. We want to tell your stories if you’re interested in sharing them. Please email us at story ideas [at] credit [dot] com with ideas or visit us on Facebook or Twitter.

Thanks for stopping by.

- The Credit.com Editorial Team