Government Data Breaches

The US government suffered 443 data breaches since 2014, with 2018 being the worst year so far, according to a new study by Comparitech.

Data breaches are often associated with the private sector—hackers break into databases owned by businesses to steal user data and other valuable information. But the government is also a frequent target of breaches, often compromising much more sensitive data. Comparitech analyzed the last four years of US government breaches. These are not only limited to database breaches, but also other electronic and even paper breaches. These can range from stolen laptops and hard drives to document mailing errors.

Key findings

Here are the study’s key findings:

  • Since 2014 there have been 443 data government/military breaches involving 168,962,628 records
  • 2018 was the worst year for data breaches with 100 occurring which involved 81,505,426 records
  • 2014 was also a high year for data breaches (90 in total) but these involved far fewer records—9,419,799
  • Electronic breaches by far outweigh data breaches. However, in 2014, a third of all breaches were paper data breaches.

Top 10 biggest US government data breaches

These are the top ten largest data breaches of government entities by number of records exposed since 2014.

  • U.S. Postal Service (DC) – 60,000,000 records – 2018
  • Office of Personnel Management (DC) – 21,500,000 records – 2015
  • California Secretary of State (CA) – 19,200,000 records – 2017
  • Government Payment Service, Inc. (IN) – 14,000,000 records – 2018
  • Georgia Secretary of State (GA) – 6,000,000 records – 2015
  • Office of Child Support Enforcement (WA) – 5,000,000 records – 2016
  • Office of Personnel Management (DC) – 4,200,000 records – 2015
  • U.S. Postal Service (DC) – 3,650,000 records – 2014
  • Los Angeles County 211 (CA) – 3,200,000 records – 2018
  • Washington Department of Fishing and Wildlife (WA) – 2,435,452 – 2016

Notably, two companies appear here twice – the U.S. Postal Service and the Office of Personnel Management. The Postal Service suffered its biggest breach in 2018 when a flaw led to 60 million of its users’ account details being exposed online. The Postal Services had been warned of this potential issue a year earlier. In 2014, hackers broke into the Postal Service’s network and stole 750,000 retirees’ and employees’ data and 2.9 million customers’ data. The Office of Personnel Management suffered its two biggest breaches in 2015, both of which involved hacks that led to employees’ details being exposed.

Of the other breaches, 4 were due to information being leaked or being insufficiently protected, 2 were due to hackers, and 1 was due to the theft of a laptop and some hard drives.

Most-breached government departments

Some government departments and agencies are breached more frequently than others. This might be due to poor security, more attack vectors, higher value data, or larger volume of data.

  • Department of Health: 29 cases of these types of departments being hit by breaches, involving 174,547 records. These often occurred due to human error (e.g. mailing information to the wrong address or inadvertently posting information online) but also include hacking, laptop theft, and a case where two employees stole information to file fraudulent tax returns. New Hampshire’s Department of Health and Human Services was also hit when a former patient posted information about 15,000 people on a social media site, detailing who had received the department’s services.
  • Veterans Affairs: 33 cases involving 113,786 records. Several of these cases involve veterans’ data being incorrectly dumped without being shredded first or being left in public places for all to view. Others include hackings, inadvertently posting online or emailing data, and theft of laptops/hard drives.
  • City networks: 56 cities suffered data breaches during this period, affecting 244,440 records. A lot of these involved hacking, phishing emails, malware, and unauthorized access. A popular payment portal used by government websites (Click2Gov) also suffered a breach, affecting numerous cities.

States with the most data breaches

  • Washington, D.C.: 37 cases with 95,166,900 records affected. We have already mentioned four of DC’s largest data breaches (the 60 million people affected by the U.S. Postal Service breach in 2018 and the 3.65 million affected in 2014, and the 21.5 million and 4.2 million affected by the 2015 Office of Personnel Management breaches). Other large breaches include 2.3 million records exposed in 2019 due to the Federal Emergency Management Agency (FEMA) unnecessarily releasing data on disaster survivors to a contractor. 1.4 million people’s records were also put at risk in 2014 by the Internal Revenue Service (IRS) after contractors were found to have insufficient background checks for dealing with sensitive data. The IRS suffered 6 breaches since 2014.
  • California: 57 cases with 24,299,303 records affected. Two of these data breaches made our top 10 list: the 19.2 million affected in the Secretary of State breach and the 3.2 million affected in the Los Angeles County 211 data breach. Other large breaches include a phishing scam that targeted the County of Los Angeles in 2016 and led to 756,000 records compromised.
  • Texas – 25 cases with 3,423,326 records affected. The largest breach occurred in 2014 when it was discovered that a company that had worked on the Medicaid program for Texas Health and Human Services (Xerox) still had files relating to 2 million former and current clients and refused to return them. Then, in 2018, a security flaw allowed users of the Employees Retirement System of Texas to view other users’ information, affecting 1,248,263 people.
  • Ohio: 17 cases with 941,474 records affected. The largest was in 2018 when recruitmilitary.com suffered a breach resulting in 850,000 military officers’ personal details posted on a forum.
  • Florida: 22 cases with 318,610 records affected. The largest of Florida’s breaches affected 200,000 people in 2015 after a state employee of the Department of Children and Families accessed personal information and obtained names and Social Security numbers.

It’s no surprise Washington, D.C. tops the list. A lot of the high-profile government headquarters are based there, and the other top four states are some of the most populous. However, some smaller states have fewer data breaches but see far more records being affected:

  • Alabama: 5 cases with 1,397,389 records affected. This is largely due to the breach of America’s Joblink Alliance, which affected 10 states in total in 2017, including 1,393,109 in Alabama. This same data breach comprises most of the records exposed for Arkansas (597,374 of 631,268 records affected), Arizona (896,370 of 944,166 records affected), Delaware (236,134 records affected – accounting for the state’s entire total), Kansas (563,568 of 585,513 records affected), Maine (283,449 of 285,649 records affected), and Vermont (183,153 of 183,611 records affected).
  • Colorado: 12 cases with 663,418 records affected. The largest breach was in 2017 when a lapse in security led to the information on 620,945 jurors being available on the department’s intranet (a smaller number, 41,140, were also available online).
  • Georgia: 13 cases with 6,989,928 records affected. This is primarily due to the massive data breach affecting the Georgia Secretary of State in 2015. Six million people had their data put a risk when Brian Kemp’s office released personally-identifiable data to political parties, the media, and other subscribers who pay for voter information. Two other large data breaches occurred in 2015 in the Department of Community Health, hacked on two occasions affecting 557,779 and 355,127 people’s records.
  • Idaho: 5 cases with 962,369 records affected. The largest breach (of 788,064 records) occurred when a hacker compromised four state Department of Fish and Game websites in 2016. 170,517 records were also affected in the America’s Joblink Alliance breach.
  • Illinois: 15 cases with 1,016,769 records affected. Again, the largest of these was due to the breach at America’s Joblink Alliance (affecting 807,450 records), followed by 200,000 records exposed during a hack of the Illinois Board of Elections in 2016.
  • Indiana: 3 cases with 14,003,907 records affected. However, 14 million of these relate to the Government Payment Service, Inc. breach in 2018, which would have affected residents in several different states.
  • Kentucky: 3 cases with 2,127,457 records affected. Kentucky’s Department of Fish and Wildlife was also the target of the hacker who compromised four state websites in 2016. In this case, 2,126,449 people’s records were compromised.
  • Montana: 5 cases with 1,085,656 records affected. The largest of these was the hack of the Department of Public Health and Human Services in 2014, affecting 1,062,509 records.
  • Oklahoma: 7 cases with 779,543 records affected. 430,679 were part of the America’s Joblink Alliance breach and 293,492 were part of a breach in the Department of Securities in 2019, in which a storage server contained exposed data from as far back as 1986. 47,000 records were also breached by the Department of Human Services in 2017 where an unauthorized person gained access to a department computer, putting clients’ data at risk.
  • Oregon: 11 cases with 2,439,241 records affected. Oregon was also a victim of the hacker who targeted four government websites in 2016, exposing 1,195,204 records of its Department of Fish and Wildlife database. The Oregon Employment Department also suffered an intrusion on its website in 2014, exposing 851,322 records. A phishing scam gave thieves access to 350,000 Department of Human Service clients in 2019.
  • Virginia: 16 cases with 1,612,523 records affected. The largest of these was the Army National Guard data breach, which exposed 850,000 current and former soldiers’ personal details in 2015. It was followed by the breach of the Virginia Department of Medical Assistance that saw 697,586 records exposed in a hacking incident, also in 2015.
  • Washington: 15 cases with 7,462,510 records affected. 5 million of these were involved in the 2016 theft of a laptop and several hard drives, while 2,435,452 were part of the Department of Fishing and Wildlife hacking across four states in 2016.

What is perhaps most surprising is the fact that New York doesn’t appear anywhere on this list, despite it being the third-largest state by population and appearing second in our recent study on the states that suffer the most overall data breaches. Over the last 4.5 years, only 11 government/military data breaches were reported in NY, affecting 7,825 records, compared to 478 breaches affecting 206,932,121 records overall since 2014. This means government/military breaches make up just 2.3 percent of all New York’s data breaches.

StateTotal # of Breaches in the StateTotal # of Records Affected in the State# of Breaches 2014# of Records Affected 2014# of Breaches 2015# of Records Affected 2015# of Breaches 2016# of Records Affected 2016# of Breaches 2017# of Records Affected 2017# of Breaches 2018# of Records Affected 2018# of Breaches 2019 (to May)# of Records Affected 2019 (to May)
Alabama51,397,38923,500001021,393,8890000
Alaska62,09600000021,521457500
Arizona6944,166245,29610102898,8700000
Arkansas3631,26817,85000002623,4180000
California5724,299,3031020,577970,064121,191,435819,203,424173,812,80311,000
Colorado12663,418215,619423,77422,1304621,8950000
Connecticut227,064227,0640000000000
Delaware1236,1340000001236,1340000
District of Columbia3795,166,90075,125,439426,042,000131,072,5793100,000960,526,88212,300,000
Florida22318,61034,8316213,62634,876320,978469,75234,547
Georgia136,989,928434,44756,916,847338,634001000
Hawaii00000000000000
Idaho5962,36900002788,0641170,51711,72812,060
Illinois151,016,76952,36821,0001200,0002808,17434,13621,091
Indiana314,003,9070011,2620000214,002,64500
Iowa812,78922,90400142523,78935,67100
Kansas6585,5130000001563,568521,94500
Kentucky32,127,45711,0080012,126,449100000
Louisiana311,881000000211,8811000
Maine4285,6490010002285,549110000
Maryland1024,114412,065312,04910101000
Massachusetts744,17600125921,61422,976139,0001327
Michigan64,83924,295100010154410
Minnesota7161,201150000155,81300393,599211,289
Mississippi336,11900000015,220130,7991100
Missouri641,928119,00014,0000015,685313,24300
Montana51,085,65621,062,509001185120,00012,96200
Nebraska00000000000000
Nevada313,1300000211,70011,4300000
New Hampshire517,70212,70000215,000100012
New Jersey550,78619,4620000240,06111,26310
New Mexico415,71812,6571561112,500001000
New York117,825130024,5202488143942,07810
North Carolina14137,455348,75233,09400444,8123797140,000
North Dakota12,45200000012,4520000
Ohio17941,474315,27300259,00054,3173852,89149,993
Oklahoma7779,5431000003480,67925,3721293,492
Oregon112,439,2413853,062196711,195,20411,700337,8422350,466
Pennsylvania8397,63800281,463186525172313,79111,002
Rhode Island413,40000000026,70026,70000
South Carolina766,791416,561150,0001230001000
South Dakota22,2110022,21100000000
Tennessee94,61552,1280011,80016871010
Texas253,423,32652,005,261415,62042,10053,34571,397,00000
Utah235,00000114,00000121,0000000
Vermont11183,61136618033121183,1530030
Virginia161,612,523454,77741,547,58645,05100290924,200
Washington157,462,51026,750134637,435,452515,10521,50023,357
West Virginia00000000000000
Wisconsin8263,0991843163700203258,89912,720
Wyoming111,935111,9350000000000
US2805,6640000001805,6641000
Totals443168,962,628909,419,7996335,005,9667214,221,9068426,589,54910081,505,426343,025,646

Methodology

Using the reports produced by the Identity Theft Resource Center, we have collated all of the records of data breaches that have occurred within government/military departments. Where possible, the figures for the breaches have been assigned to the state where records were affected. However, in some cases, the figures will be allocated to the state where the company involved is headquartered. This is due to several states often being affected and a breakdown of figures per state being unavailable. Equally, if the data breach was US-wide, this will fall under “US” as it cannot be pinpointed to a state.

Furthermore, there may be some instances where the breach occurred in a previous year but wasn’t brought to the attention of the authorities until later on. And not every breach comes with a figure of the number of reports affected (this may be unknown or may be below the threshold imposed by the state).

You can find a detailed list of the US government data breaches we analyzed here.