We are only a little over halfway through 2016, and yet according to the latest IBM X-Force data, 200 million government records worldwide were already compromised by July 31 of this year. That’s nearly 60 million more than all the records compromised from 2013 through 2015 — combined.
What’s behind this spike?
Source: IBM X-Force Interactive Security Incidents data
A Global Problem
The U.S. is the clear leader in terms of the number of security incidents where government records were compromised over the last several years. This makes sense when you consider the sheer number of state and local government organizations: According to the 2012 U.S. Census, there were 90,056 state and local governments in the U.S.
Source: IBM X-Force Interactive Security Incidents data
But the issue of government breaches is not confined to the U.S. It is a global problem, with close to 100 reported incidents spanning across 29 countries and six continents.
Government entities have been targeted by malware infections, phishing schemes and SQL injection attacks. Compromised information includes national ID numbers, fingerprints, confidential documents and emails, passwords, and credit card numbers of private citizens, current and former government employees, and military personnel.
Government Data for Sale
Attackers use this information to conduct further fraudulent and malicious activity. One popular move is to take stolen information and put it up for sale on the Dark Web, as was the case with the U.S. Office of Personnel Management (OPM) breach in 2015.
Hacktivists, often motivated by political or social interests, played a role in several of these incidents. In March, hacktivists posted over 300 GB of Filipino voter data from the country’s electronic election website, The Register noted. More than half the estimated population of the Philippines was exposed by this leak, including hundreds of thousands of email addresses linked to passport info, fingerprints, family history and other sensitive information.
Attackers Are Multidimensional
Health care records are still all the rage for cybercriminals. In fact, a midyear checkup showed that the health care industry continues to represent a growing percentage of all data breaches — 15 percent in the first half of 2016 (through June 1), up from 9 percent in 2015.
So, why the jump in compromised government records as well?
Attackers are not one-dimensional. They are capable of setting their sights on multiple targets, and they are equally adept at launching myriad attacks — from DDoS extortion attempts to targeted banking malware campaigns to command injection attacks. Congruent trends are often found across the threat landscape.
Follow the Money
Attackers will go wherever there’s money to be made. They’re financially motivated, which is why they target industries such as health care and government. The wealth of information within a government record can be just as valuable as a health care record, if not more valuable because of what can be done with it. These records could be used to pivot to other schemes, gain access to confidential information or file fraudulent tax returns, for example.
Furthermore, although the percentage of government security incidents as a total of all security incidents has risen slightly this year over the previous year through July 31, there had been a notable decline for the previous three years: 2013 (14 percent), 2014 (10 percent) and 2015 (7 percent). The significance of the 2016 breaches is not necessarily the rise of incidents per se (it’s too soon to tell), but rather the magnitude or impact of these incidents.
Another reason for the apparent surge in incidents in 2016 could actually be the result of increased reporting. At least in the U.S., the Office of Management and Budget (OMB) mandated changes to security incident reporting for federal executive branch agencies.
SQL Injection and Misconfigurations
Of the government security incidents where the attack type was known and the attack resulted in the compromise of data (a little over two-thirds of the incidents), SQL injection attacks were responsible for 45 percent since 2011.
SQL injection attacks are clearly impacting the government sector. Interestingly, though, the last incident where SQL injection was the known attack vector targeting a government organization occurred in 2014.
However, there have been numerous data compromises since then in which the attack type has not yet been publicly confirmed, but SQL injection is suspected since it continues to be a prevalent attack vector. An Akamai report indicated that there was an 87 percent increase in SQL injection attacks in Q1 2016 compared with the previous quarter. We know the attacks are occurring, we’re just not hearing about them as much from a public disclosure standpoint.
Source: IBM X-Force Interactive Security Incidents data
In contrast, there have been several high-profile breaches of government data in the past couple of years where a security misconfiguration was identified as the reason behind a data leak.
Most notably, over 93 million records containing Mexican voter data were exposed due to an improperly secured public-facing cloud database. Leaked data included names, voter identification numbers, addresses, dates of birth and other sensitive information.
Prior to this incident, a security misconfiguration on a U.S. political party website exposed the personal information of over 2 million individuals, including names, addresses, birthdates and voter information.
Data and Application Security
It’s imperative that governments implement a comprehensive data security platform. Look for a data security solution that can detect SQL injections and malicious stored procedures and identify when a data repository attack is underway, whether it’s an inside or outside attacker.
Since SQL injection holes in web servers and applications seem to be an open door to many government databases, a focus on application security is a must. Tools can reduce the likelihood of web application attacks and data breaches by automating application vulnerability testing and finding issues such as lack of input validation. Beyond open SQL injection vulnerabilities, these tools can help find other OWASP top 10 web application risks before the application hits production.
Unfortunately, misconfiguration can make a relatively secure app vulnerable. For example, implementing a firewall rule such as permit ip any WEB-SERVER1 allows all traffic from any source to a web server. Or what about leaving an open port on a web server running or granting the wrong permissions to a UNIX web server that allows for external or unapproved access to an app or service? System misconfigurations are one of the more common forms of human error resulting in inadvertent insider threats.
Growing Spotlight on Government
In the past, it appears that either the government sector has been less affected by security breaches than the private sector or the breaches were not known to the public. The good news? With this growing spotlight on government, there have been several examples of agencies recognizing the need to take steps to improve data security.
The U.S. OPM released a report following the aforementioned breach on its systems identifying current and future actions to strengthen cybersecurity and protect critical IT systems. In Europe, the General Data Protection Regulation (GDPR) was signed into law in May, with the goal of strengthening and unifying data protection for citizens of the European Union.
Let’s hope these are indicators of positive movement toward better government data security globally.
Manager, X-Force Strategic Threat Analysis, IBM