Since 2014, the US government has suffered 822 breaches affecting nearly 175 million records. Based on the average cost per breached record (as reported by IBM each year), we estimate these breaches have cost government entities over $26 billion from 2014 to October 2022.
In 2018 and 2019, the number of government breaches hit an all-time high with 116 and 118 breaches respectively. In 2020, breaches decreased to 107 before increasing again to 116 in 2021. So far this year, there have been 61 data breaches affecting 2.9 million people.
The amount of records affected during these data breaches has reduced significantly in the last few years. 2018 saw a colossal 83 million breached records. They mainly stemmed from one breach on the US Postal Service, affecting 60 million records. In 2019, this figure dropped to 1.4 million before hovering around the 3 million mark for the next three years.
Over the last four years, the average number of records involved per government data breach has increased. From 17,400 in 2019 to 42,097 in 2020 and 40,440 in 2021, the average number of records affected per breach in 2022 currently stands at 71,534. While the frequency of attacks may have declined, the impact of individual attacks has increased. The true extent of breaches often isn’t felt for months, if not years, so the average number of records affected per breach for this year could increase even further yet.
So, what are these data breaches costing the government, how have government breaches developed over time, and what trends have we seen in recent years?
Our team of researchers has collated information on government data breaches dating back as far as 2014. We’ve searched through state data breach reports, federal reports, news, press releases, and industry reports to create an extensive list of breaches that have affected government agencies across the United States.
Breach definitions: Card (debit/credit card not via hacking, e.g. skimming), Hack (outside party or malware), Insd (insider–employee, third-party, or customer), Phys (paper documents), Port (portable devices, e.g. laptops, memory sticks, and hard drives), Rans (ransomware), Stat (stationary computer), Disc (unintended disclosure, e.g. sensitive information posted publicly), Unkn (unknown). While phishing attacks aren’t listed separately here, they may be the method used to initiate hacks and ransomware attacks.
From 2014 to October 2022:
- 822 government entities suffered data breaches
- 174,963,934 records were affected because of these breaches
- The cost of these affected records was $26 billion
- 2019 was the biggest year for breaches with 118 in total, followed closely by 2018 and 2021–both with 116
- 2018 had the highest number of records affected– 83,293,815 in total
- California had the most breaches overall (108) and the District of Columbia had the highest number of records affected overall (91.2 million). DC’s vast number of affected records stems from many government offices being based here
- The most common type of breach was hacking with 256 breaches. Those involving inadvertent disclosure were the second-largest breach type with 192 breaches
- Cities/towns were the most-affected government entity type from 2019 to Oct 2022 with 124 breached, while counties were breached 56 times during the same time period
Which state had the most government data breaches from 2014 to October 2022?
With 108 separate breaches, California had the most government data breaches during this time period, significantly higher than any other state. The District of Columbia and Texas were the second-highest states for government breaches but saw less than half the number of CA’s breaches with just 45 each. They were followed by Florida with 44 breaches, Massachusetts (40), and Washington (35).
The District of Columbia recorded a significantly high number of breached records (91.2 million). As mentioned, this is due to many government entities being based within this state. Therefore, the records affected in DC likely impact many residents across all states in the US. Hence why we have excluded it from the above map.
California also had a high number of breached records at 24.5 million. The vast majority of these records came from the California Secretary of State breach in 2017 when 19.2 million voter records were left exposed on an unprotected database.
Indiana saw 14.8 million records affected across just 17 breaches. Nearly all of these came from the breach on the Government Payment Service, Inc. The District of Columbia, California, and Indiana were the only states to have more than 10 million breached records. A further 10 states had more than a million breached records, including Washington, Georgia, Texas, Oregon, Kentucky, Virginia, Illinois, Alabama, Montana, and Arizona.
When looking at the number of government records affected per 100,000 people, DC records a whopping 13.6 million per 100,000 people. However, as many of the breaches in this state affected the entire nation, it wouldn’t be fair to use this in our comparison.
When excluding DC, Indiana records the highest number of records affected per 100,000 people with 216,891 records in total. The only other state to have more than 100,000 records per 100,000 people was Washington with 128,400 records.
Other states with high numbers of records affected per 100,000 people include Montana (98,370), Alaska (85,509), and Georgia (62,582).
Nearly half of all states (22) reported more than 10,000 breached records per 100,000 people.
Government data breaches and records affected by year and state
|TOTAL||2014||2015||2016||2017||2018||2019||2020||2021||2022 (to Oct)|
|State||Total # of Breaches||Total # of Records Affected||State Population||# of Records Affected per 100,000 People||# of Breaches||# of Records Affected||# of Breaches||# of Records Affected||# of Breaches||# of Records Affected||# of Breaches||# of Records Affected||# of Breaches||# of Records Affected||# of Breaches||# of Records Affected||# of Breaches||# of Records Affected||# of Breaches||# of Records Affected||# of Breaches||# of Records Affected|
|District of Columbia||45||91,228,110||670,050||13,615,120||8||5,152,439||3||21,842,000||13||1,072,579||4||104,200||11||62,826,882||2||184,010||3||46,000||1||0||0||0|
The cost of government data breaches by year
According to IBM, the average cost per record involved in a breach in 2022 is $164–a slight increase on 2021’s cost of $161. 2022’s figure is the highest IBM has recorded over the last nine years, with 2017 being the lowest at $141.
Using IBM’s yearly data on the cost per breached records, we’ve been able to estimate how much these breaches have cost government entities.
From the start of 2014 to October 2022, we estimate data breaches have cost US government organizations over $26 billion.
While this figure sounds relatively high for these 822 data breaches, the true costs are likely much higher. This is not just because of all of the other costs involved in a data breach (e.g. recovery costs and ransom payments) but because some figures are unavailable for the number of records involved in these breaches.
As the 2022 IBM study reveals, data breaches within organizations labeled “critical infrastructure,” e.g. the public sector, are often much higher. It found that the average cost of a data breach within this category was $4.82 million–$1 million more than organizations within non-critical infrastructure, e.g. services, hospitality, and entertainment.
The top 5 biggest government data breaches (since 2014)
- The US Postal Service, 2018 – 60 million records: A flaw led to the exposure of 60 million users’ account details – something USPS was warned about a year prior.
- The Office of Personnel Management, 2015 – 21.5 million records: Hackers stole the information of 21.5 million former and current US government employees.
- California Secretary of State, 2017 – 19.2 million records: Voter records for more than 19 million people were available for all to view after a database was left unprotected.
- Government Payment Service, Inc., 2018 – 14 million records: GovPayNow.com, which is used by thousands of local and state governments, leaked over 14 million customer records, including names, phone numbers, addresses, and the last four digits of the payer’s card.
- Georgia Secretary of State, 2015 – 6 million records: A massive data breach occurred when Brian Kemp’s office released data, including personally identifiable information, to political parties, the media, and other subscribers who buy voter information (legally) from the state.
What type of government entities were most affected from 2019 to Oct 2022
To get a more granular look at how government data breaches have developed in recent years, we’ve explored the number of breaches and records affected by government entity type (due to data being more readily available for these years).
Over 30 percent of the government breaches we found from 2019 to October 2022 affected city/town governments. This was considerably higher than counties that featured in second place with a total of 56 breaches. These were closely followed by law enforcement (53) and departments of health (30).
The 124 breaches on towns/cities affected 806,704 people. The worst breach was in the City of Tucson, Arizona, when the city’s network was compromised in May 2022, affecting 123,513 records.
Other large-scale breaches included:
- The City of Independence, MO – 2020: 113,579 records were breached after a ransomware attack occurred on city systems.
- The City of Harrisburg, PA – 2021: 72,000 people’s data was mishandled after a city employee set up an unauthorized Google account to share information relating to COVID-19 exposure.
- The City of Pensacola, FL – 2019: 60,000 people were affected after a ransomware attack.
- The Town of Concord, MA – 2019: 108 hard drives containing the personal data of 57,116 people went missing in 2019.
County governments accounted for 14 percent of the total breaches suffered across this time period with 56 in total and 798,334 people affected.
- Denton County, TX – 2021: 326,417 residents had their personal information exposed, including COVID-19 vaccination information, due to a vulnerability in a third-party app.
- Cook County, IL – 2020: Criminal domestic violence case information was exposed in a leak– nearly all of the 323,277 records contained at least some personal information.
- Harris County, TX – 2021: Certain protected health information was inadvertently made accessible on the County’s Justice Administration Department website from March to May (26,000 records).
They were closely followed by law enforcement agencies (13%) with 53 police departments, sheriff’s offices, prisons, and other entities suffering breaches. Some of the largest breaches across law enforcement included:
- Caddo Parish District Attorney’s Office, LA – 2021: Caddo DA discovered its computers had been infected with malware, which led to 230,188 records being affected.
- Defense Information Systems Administration, MD – 2019: Personal information of 200,000 people was compromised at the Defense Information Systems Administration. It took nearly a whole year to notify individuals of the breach.
- U.S. Customs and Border Protection, DC – 2019: 184,000 images including photos of people’s faces and license plates were compromised as part of an attack on a federal subcontractor at a single land border entry point which remained unnamed.
How is 2022 looking for government data breaches so far?
Early on in 2022, breach numbers were high with January experiencing 10 breaches, and February, 12. In total, 2022 has seen 61 government data breaches up until October with 2,861,379 records breached at the time of writing. Even though breaches are lower than in previous years, it is likely the figures we’ve recorded over the past few months will increase as more breaches are publicized.
As we have seen, the records affected are high, too. With the average number of records breached being 71,534, this is a vast increase in the figures we have seen over the last four years. IBM’s 2022 report on the cost of data breaches suggests the figures involved in each breached report are at an all-time high of $164. Based on the reports we’ve found so far, this equates to a cost of more than $469.2 million in breached records for 2022 from January to October alone.
Using state reports, government reports, news, press releases, and industry reports, we have collated all of the records of data breaches that have occurred within federal, state, county, and city government and military departments. Where possible, the figures for the breaches have been assigned to the state where records were affected. However, in some cases, the figures will be allocated to the state where the department involved is headquartered. This is due to several states often being affected and a breakdown of figures per state being unavailable.
Furthermore, there may be some instances where the breach occurred in a previous year but wasn’t brought to the attention of the authorities until later on. And not every breach comes with a figure for the number of reports affected (this may be unknown or may be below the threshold imposed by the state). BlueLeaks was logged as one breach due to the wide range of entities (of which there is no exact figure) being affected. It was also logged as “US” as it cannot be pinpointed to a specific state.
Figures for previous years may have changed since our last study due to updated reports with exact breach dates.
Each breach was categorized into one of 24 government organization types, which are as follows:
- Animals and Food
- Board of Commissioners
- Child and Family Services
- Department of Corrections and Rehabilitation
- Department of Economic Opportunity
- Department of Education
- Department of Health
- Department of Human Services
- Department of Information Technology
- Department of Labor
- Department of Public Works
- Division of Elections
- Housing Authority
- Law Enforcement
- Park District
- State Bar
- Transportation Authority
A handful of breaches may appear in this study and our medical data breach study. This is due to some attacks on government entities, e.g. a Department of Health, affecting medical data. Public hospitals and medical centers (aside from ones run by Veteran Affairs) aren’t included, however.
Data researcher: Charlotte Bond
You can see the full list of sources used in this study here.