Government breaches – can you trust the US Government with your data_

In 2020, the US government suffered 87 data breaches that affected over 3.3 million people. Based on an average cost of $146 per affected record, we estimate that these breaches cost government entities almost $487 million last year alone.

Despite a 25 percent year-on-year decrease in the number of breaches targeting government entities (down from 116 in 2019), the number of records affected leaped by over 110 percent (up from 1.6 million in 2019). This suggests that while fewer breaches may have occurred, when they did happen, they were far more disruptive and costly.

This trend appears to have continued in 2021, too. In 2019, the average number of records breached per entity was 13,682, rising to 38,337 in 2020, and 39,392 in 2021. Furthermore, with the true extent of breaches often not being felt for months (if not years), the average records affected per breach for this year could increase even further yet.

So, what are these data breaches costing the government, how have government breaches developed over time, and what trends have we seen in recent years?

Our team of researchers have collated data on government data breaches dating back as far as 2014. We’ve searched through state reports, government reports, news, press releases, and industry reports to create an extensive list of breaches that have affected government agencies across the United States. However, as many of these breaches and their details often go unreported, we believe these figures are just a fraction of the problem.

Key findings

In 2020:

  • 87 government entities suffered data breaches in 2020–a 25 percent decrease from 2019 (116)
  • 3,335,349 records were affected because of these breaches–a 110 percent increase from 2019 (1.59 million)
  • The cost of these affected records was $486,960,954 in 2020–more than double that of 2019 ($238 million)
  • Florida had the most breaches with 7 in total, which affected 484,321 people
  • Washington had the most records affected (1,609,101) and, therefore, suffered the largest loss at $234,928,746
  • Wyoming had the highest percentage of its population (28 percent) affected by government breaches in 2020

Which state had the most government data breaches in 2020?

With 7 separate breaches, Florida had the most government data breaches in 2020. This was closely followed by California, Indiana, Kentucky, and Massachusetts where 5 incidents each were recorded. Florida was also the second-most impacted state when it comes to records affected with over 484,000 impacted across the 7 breaches.

Washington saw the highest number of records affected with 1,609,101 in total. The vast majority of these (1.6 million) were involved in the breach at Washington’s State Auditor. It was compromised when bad actors exploited a vulnerability in a secure file transfer service from third-party vendor, Accellion, which exposed the information of 1.6 million unemployment claims.

Illinois also had a high number of records affected with 355,763 across 3 breaches. Only 3 other states had over 100,000 records affected. These were Wyoming (164,021), Missouri (113,579), and Alaska (113,000) and all were affected in a single data breach within the state.

Nearly 30 percent of residents in Wyoming were affected by government data breaches in 2020

If we look at the number of records affected in relation to the population of each state, the highest percentage of a state’s population affected by government data breaches was Wyoming. With 164,021 people affected by the breach on the Wyoming Department of Health, this suggests over 28 percent of residents were impacted by this accidental release of COVID-19 test results. A workforce member inappropriately handled the health information and uploaded it to a private and public online storage location.

Wyoming was closely followed by Washington where 21 percent of the population were affected by government breaches, followed by Alaska with 15 percent. In all of the other states, less than a few percent of residents were impacted by breaches on government entities in 2020.

How much did these data breaches cost government entities in 2020?

According to IBM, the average cost per record involved in a breach was $146 in 2020–a slight decrease on 2019’s cost of $150. However, based on each breached record costing government entities $146, this equates to a loss of nearly $487 million in 2020 alone.

While this figure sounds extraordinarily high for just 87 data breaches, the true costs are likely much higher. This is not just because of all of the other costs involved in a data breach (e.g. remediation costs) but because some figures are unavailable for the number of records involved in these breaches. Equally, as the IBM study reveals, those breaches involving personally identifiable information (PII) have higher costs at $150 per record, increasing to $175 when the breach is caused by a malicious attack.

What type of government entities were most affected in 2020?

Nearly a quarter of the government breaches we found in 2020 affected cities. In total, 19 cities were breached, affecting 176,994 people. The worst breach was in the City of Independence, Missouri, which was hit with a ransomware attack that affected city systems and compromised 113,579 records.

Other large-scale breaches included:

  • The City of Sunrise, Florida – 21,924 Floridians were affected in April 2020 due to a hack on third-party utility bill payment vendor, Click2Gov. Hackers tried to extract card details from users which affected nearly 22,000 residents.
  • The City of Fort Lauderdale – 9,271 reports were affected when the “paperless” city’s payroll system had been advertised for sale on the dark web by hackers.

Counties suffered one-fifth of 2020’s breaches with 17 in total and 339,699 people affected. They were closely followed by law enforcement agencies (17%) with 15 police departments, sheriff offices, prisons, and other entities suffering breaches in 2020. Some of the largest breaches across law enforcement included:

  • Borough of Haledon New Jersey Police Department – 50,696 records were breached after an external system was breached.
  • BlueLeaks – This breach affected more than 200 police departments, fusion centers, and other law enforcement agencies across different states in America. A group named the DDoSecrets published 269GB of data stolen from these law enforcement agencies, including sensitive documents from the last ten years.

Although over 200 agencies were breached in the BlueLeaks attack, many have remained nameless to the public. The largest noted BlueLeaks breach was the Northern California Regional Intelligence Center, where 29,114 records were breached and 19GB of data published. Others included Minnesota Bureau of Criminal Apprehension with 20,000 records affected and Hennepin County Sheriff’s Office with 1,500 records affected.

Key findings from January 2014 to July 2021:

According to our findings:

  • 661 government entities have been breached with 175,332,906 records affected
  • 2019 saw the highest number of breaches with 116, while 2020 had the highest number of people affected with 3,335,349
  • The total cost of these government data breaches is estimated at over $26.1 billion
  • California suffered the most breaches with 78 affecting nearly 24.5 million records. This is nearly double the number of breaches suffered in Florida–39
  • Residents in Indiana have been most heavily impacted by government breaches over the years with 14.8 million records impacted across 11 breaches. With just 6.7 million people in the state, this suggests each Hoosier has had their data impacted by a government entity more than twice

How does 2020 compare to previous years?

As we can see from the below graph, government data breaches hit an all-time high toward the end of 2019 with 18 recorded in September alone. Since then, government breaches have remained at a similar level with several peaks and troughs. Most notable of the peaks are the ones that have occurred each year in May. 2021’s peak in May was particularly high, especially when we consider that many breaches are reported months after they occur.

Government data breaches by month and year

When it comes to records affected, the biggest peak by far was in December 2020. With over 1.7 million records affected, December’s breached records accounted for 52 percent of the year’s total. The majority of these breached records came from the attack on Accellion which affected the Office of the Washington State Auditor where 1.6 million unemployment claims were breached.

How is 2021 looking for government data breaches?

Aside from the current dip noted in June, 2021 looks set to follow a similar pattern to previous years. Even though breaches are lower than previous years (as it stands), it is likely the figures we’ve recorded over the past few months will increase as more breaches are publicized.

July’s high figure for records affected (750,000 impacted in a hack on the Indiana State Department of Health) also suggests 2021 could be a high year for records impacted and the costs involved in these breaches. IBM’s recent updated report on the cost of data breaches suggests the figures involved in each breached report are at an all-time high of $161. Based on the reports we’ve found so far, this equates to a cost of more than $209 million.

Methodology

Using state reports, government reports, news, press releases, and industry reports, we have collated all of the records of data breaches that have occurred within government/military departments. Where possible, the figures for the breaches have been assigned to the state where records were affected. However, in some cases, the figures will be allocated to the state where the company involved is headquartered. This is due to several states often being affected and a breakdown of figures per state being unavailable. Equally, if the data breach was US-wide, this will fall under “US” as it cannot be pinpointed to a state.

Furthermore, there may be some instances where the breach occurred in a previous year but wasn’t brought to the attention of the authorities until later on. And not every breach comes with a figure of the number of reports affected (this may be unknown or may be below the threshold imposed by the state). BlueLeaks was also logged as one breach, due to the wide range of entities being affected and how many haven’t been released to the public.

Figures for previous years, 2019 and prior, may have altered since our last study due to updated reports with the exact breach date.

Data researcher: Charlotte Bond

You can request a detailed list of the US government data breaches we analyzed here: https://docs.google.com/spreadsheets/d/1Oh9Z1F3NHTCZJfFQjj9JIq-EwwgDpqtTPBf4prYfIz4/edit?usp=sharing