Hacked Agencies Are Inconsistent in Alerting Victims
The uncoordinated responses could impair efforts to protect citizens and federal employees, GAO finds.
Agencies are not in synch when it comes to notifying victims of hacks, which might be impairing the government’s ability to protect affected federal employees and citizens from predators, according to a new federal audit.
The number of reported government data breaches that compromised personal information spiked 42 percent between fiscal years 2011 and 2012, increasing from 15,584 cases to 22,156 cases, Government Accountability officials report.
While the rate of reported hacks has grown, improvement in responding to those hacks has not, according to their audit, which was released on Wednesday.
Within eight agencies examined, "implementation of breach response policies and procedures was not consistent," the report stated, adding that consequently, "these agencies may not be taking corrective actions consistently to limit the risk to individuals from [personal information]-related data breach incidents."
For example, the Internal Revenue Service and Federal Retirement Thrift Investment Board did not factor in the number of individuals affected to calculate the likely risk of harm and level of impact of each incident.
And at the Centers for Medicare and Medicaid Services -- which oversees HealthCare.gov, the Veterans Affairs Department, Federal Deposit Insurance Corporation and Federal Reserve Board, "we found that the agencies did not always document the number of affected individuals for each case," the study stated.
"While it may not be possible for an agency to determine the exact number of affected individuals in every case, an estimate of the number of affected individuals is important in determining the overall impact of a data breach,” the study added.
The review examined several past high-profile breaches at various agencies. “Most notably," according to GAO, was the theft of VA computer equipment containing personal information on about 26.5 million veterans and active duty members. Auditors also looked at the 2011 hack of a computer containing the Social Security numbers of 123,000 federal employee retirement plan participants.
Wednesday's report does not address some of the most recent major incidents, such as the Energy Department's sluggish response to a July 2013 breach that ultimately affected 104,000 federal employees and the 2011 theft of backup computer tapes containing sensitive health information of 4.9 million Military Health Care System TRICARE beneficiaries.
The audit partly blames the uneven incident response on incomplete guidance from the Office of Management and Budget. After reading a draft report, OMB officials asked GAO to specify what extra instructions agencies need. In the final report, the auditors recommended that OMB provide directions on notifying victims based on a hack’s risk-level, as well as criteria for determining whether to offer individuals assistance, such as credit monitoring.
(Image via Sergey Nivens/Shutterstock.com)
NEXT STORY: GAO: Security breach response by feds is uneven