August 10, 2016 By Michelle Alvarez 5 min read

We are only a little over halfway through 2016, and yet according to the latest IBM X-Force data, 200 million government records worldwide were already compromised by July 31 of this year. That’s nearly 60 million more than all the records compromised from 2013 through 2015 — combined.

What’s behind this spike?


Source: IBM X-Force Interactive Security Incidents data

A Global Problem

The U.S. is the clear leader in terms of the number of security incidents where government records were compromised over the last several years. This makes sense when you consider the sheer number of state and local government organizations: According to the 2012 U.S. Census, there were 90,056 state and local governments in the U.S.

 

Source: IBM X-Force Interactive Security Incidents data

But the issue of government breaches is not confined to the U.S. It is a global problem, with close to 100 reported incidents spanning across 29 countries and six continents.

Government entities have been targeted by malware infections, phishing schemes and SQL injection attacks. Compromised information includes national ID numbers, fingerprints, confidential documents and emails, passwords, and credit card numbers of private citizens, current and former government employees, and military personnel.

Government Data for Sale

Attackers use this information to conduct further fraudulent and malicious activity. One popular move is to take stolen information and put it up for sale on the Dark Web, as was the case with the U.S. Office of Personnel Management (OPM) breach in 2015.

Hacktivists, often motivated by political or social interests, played a role in several of these incidents. In March, hacktivists posted over 300 GB of Filipino voter data from the country’s electronic election website, The Register noted. More than half the estimated population of the Philippines was exposed by this leak, including hundreds of thousands of email addresses linked to passport info, fingerprints, family history and other sensitive information.

Attackers Are Multidimensional

Health care records are still all the rage for cybercriminals. In fact, a midyear checkup showed that the health care industry continues to represent a growing percentage of all data breaches — 15 percent in the first half of 2016 (through June 1), up from 9 percent in 2015.

So, why the jump in compromised government records as well?

Attackers are not one-dimensional. They are capable of setting their sights on multiple targets, and they are equally adept at launching myriad attacks — from DDoS extortion attempts to targeted banking malware campaigns to command injection attacks. Congruent trends are often found across the threat landscape.

Follow the Money

Attackers will go wherever there’s money to be made. They’re financially motivated, which is why they target industries such as health care and government. The wealth of information within a government record can be just as valuable as a health care record, if not more valuable because of what can be done with it. These records could be used to pivot to other schemes, gain access to confidential information or file fraudulent tax returns, for example.

Furthermore, although the percentage of government security incidents as a total of all security incidents has risen slightly this year over the previous year through July 31, there had been a notable decline for the previous three years: 2013 (14 percent), 2014 (10 percent) and 2015 (7 percent). The significance of the 2016 breaches is not necessarily the rise of incidents per se (it’s too soon to tell), but rather the magnitude or impact of these incidents.

Another reason for the apparent surge in incidents in 2016 could actually be the result of increased reporting. At least in the U.S., the Office of Management and Budget (OMB) mandated changes to security incident reporting for federal executive branch agencies.

SQL Injection and Misconfigurations

Of the government security incidents where the attack type was known and the attack resulted in the compromise of data (a little over two-thirds of the incidents), SQL injection attacks were responsible for 45 percent since 2011.

SQL injection attacks are clearly impacting the government sector. Interestingly, though, the last incident where SQL injection was the known attack vector targeting a government organization occurred in 2014.

However, there have been numerous data compromises since then in which the attack type has not yet been publicly confirmed, but SQL injection is suspected since it continues to be a prevalent attack vector. An Akamai report indicated that there was an 87 percent increase in SQL injection attacks in Q1 2016 compared with the previous quarter. We know the attacks are occurring, we’re just not hearing about them as much from a public disclosure standpoint.


Source: IBM X-Force Interactive Security Incidents data

In contrast, there have been several high-profile breaches of government data in the past couple of years where a security misconfiguration was identified as the reason behind a data leak.

Most notably, over 93 million records containing Mexican voter data were exposed due to an improperly secured public-facing cloud database. Leaked data included names, voter identification numbers, addresses, dates of birth and other sensitive information.

Prior to this incident, a security misconfiguration on a U.S. political party website exposed the personal information of over 2 million individuals, including names, addresses, birthdates and voter information.

Data and Application Security

It’s imperative that governments implement a comprehensive data security platform. Look for a data security solution that can detect SQL injections and malicious stored procedures and identify when a data repository attack is underway, whether it’s an inside or outside attacker.

Since SQL injection holes in web servers and applications seem to be an open door to many government databases, a focus on application security is a must. Tools can reduce the likelihood of web application attacks and data breaches by automating application vulnerability testing and finding issues such as lack of input validation. Beyond open SQL injection vulnerabilities, these tools can help find other OWASP top 10 web application risks before the application hits production.

Unfortunately, misconfiguration can make a relatively secure app vulnerable. For example, implementing a firewall rule such as permit ip any WEB-SERVER1 allows all traffic from any source to a web server. Or what about leaving an open port on a web server running or granting the wrong permissions to a UNIX web server that allows for external or unapproved access to an app or service? System misconfigurations are one of the more common forms of human error resulting in inadvertent insider threats.

Growing Spotlight on Government

In the past, it appears that either the government sector has been less affected by security breaches than the private sector or the breaches were not known to the public. The good news? With this growing spotlight on government, there have been several examples of agencies recognizing the need to take steps to improve data security.

The U.S. OPM released a report following the aforementioned breach on its systems identifying current and future actions to strengthen cybersecurity and protect critical IT systems. In Europe, the General Data Protection Regulation (GDPR) was signed into law in May, with the goal of strengthening and unifying data protection for citizens of the European Union.

Let’s hope these are indicators of positive movement toward better government data security globally.

More from Government

CIRCIA feedback update: Critical infrastructure providers weigh in on NPRM

3 min read - In 2022, the Cyber Incident for Reporting Critical Infrastructure Act (CIRCIA) went into effect. According to Secretary of Homeland Security Alejandro N. Mayorkas, "CIRCIA enhances our ability to spot trends, render assistance to victims of cyber incidents and quickly share information with other potential victims, driving cyber risk reduction across all critical infrastructure sectors."While the law itself is on the books, the reporting requirements for covered entities won't come into force until CISA completes its rulemaking process. As part of…

Important details about CIRCIA ransomware reporting

4 min read - In March 2022, the Biden Administration signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). This landmark legislation tasks the Cybersecurity and Infrastructure Security Agency (CISA) to develop and implement regulations requiring covered entities to report covered cyber incidents and ransomware payments.The CIRCIA incident reports are meant to enable CISA to:Rapidly deploy resources and render assistance to victims suffering attacksAnalyze incoming reporting across sectors to spot trendsQuickly share information with network defenders to warn other…

Unpacking the NIST cybersecurity framework 2.0

4 min read - The NIST cybersecurity framework (CSF) helps organizations improve risk management using common language that focuses on business drivers to enhance cybersecurity.NIST CSF 1.0 was released in February 2014, and version 1.1 in April 2018. In February 2024, NIST released its newest CSF iteration: 2.0. The journey to CSF 2.0 began with a request for information (RFI) in February 2022. Over the next two years, NIST engaged the cybersecurity community through analysis, workshops, comments and draft revision to refine existing standards…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today