Government breaches – can you trust the US Government with your data_

Since 2014, the US government has suffered 822 breaches affecting nearly 175 million records. Based on the average cost per breached record (as reported by IBM each year), we estimate these breaches have cost government entities over $26 billion from 2014 to October 2022.

In 2018 and 2019, the number of government breaches hit an all-time high with 116 and 118 breaches respectively. In 2020, breaches decreased to 107 before increasing again to 116 in 2021. So far this year, there have been 61 data breaches affecting 2.9 million people.

The amount of records affected during these data breaches has reduced significantly in the last few years. 2018 saw a colossal 83 million breached records. They mainly stemmed from one breach on the US Postal Service, affecting 60 million records. In 2019, this figure dropped to 1.4 million before hovering around the 3 million mark for the next three years.

Over the last four years, the average number of records involved per government data breach has increased. From 17,400 in 2019 to 42,097 in 2020 and 40,440 in 2021, the average number of records affected per breach in 2022 currently stands at 71,534. While the frequency of attacks may have declined, the impact of individual attacks has increased. The true extent of breaches often isn’t felt for months, if not years, so the average number of records affected per breach for this year could increase even further yet.

So, what are these data breaches costing the government, how have government breaches developed over time, and what trends have we seen in recent years?

Our team of researchers has collated information on government data breaches dating back as far as 2014. We’ve searched through state data breach reports, federal reports, news, press releases, and industry reports to create an extensive list of breaches that have affected government agencies across the United States.

Breach definitions: Card (debit/credit card not via hacking, e.g. skimming), Hack (outside party or malware), Insd (insider–employee, third-party, or customer), Phys (paper documents), Port (portable devices, e.g. laptops, memory sticks, and hard drives), Rans (ransomware), Stat (stationary computer), Disc (unintended disclosure, e.g. sensitive information posted publicly), Unkn (unknown). While phishing attacks aren’t listed separately here, they may be the method used to initiate hacks and ransomware attacks.

Key findings

From 2014 to October 2022:

  • 822 government entities suffered data breaches
  • 174,963,934 records were affected because of these breaches
  • The cost of these affected records was $26 billion
  • 2019 was the biggest year for breaches with 118 in total, followed closely by 2018 and 2021–both with 116
  • 2018 had the highest number of records affected– 83,293,815 in total
  • California had the most breaches overall (108) and the District of Columbia had the highest number of records affected overall (91.2 million). DC’s vast number of affected records stems from many government offices being based here
  • The most common type of breach was hacking with 256 breaches. Those involving inadvertent disclosure were the second-largest breach type with 192 breaches
  • Cities/towns were the most-affected government entity type from 2019 to Oct 2022 with 124 breached, while counties were breached 56 times during the same time period

Which state had the most government data breaches from 2014 to October 2022?

With 108 separate breaches, California had the most government data breaches during this time period, significantly higher than any other state. The District of Columbia and Texas were the second-highest states for government breaches but saw less than half the number of CA’s breaches with just 45 each. They were followed by Florida with 44 breaches, Massachusetts (40), and Washington (35).

The District of Columbia recorded a significantly high number of breached records (91.2 million). As mentioned, this is due to many government entities being based within this state. Therefore, the records affected in DC likely impact many residents across all states in the US. Hence why we have excluded it from the above map.

California also had a high number of breached records at 24.5 million. The vast majority of these records came from the California Secretary of State breach in 2017 when 19.2 million voter records were left exposed on an unprotected database.

Indiana saw 14.8 million records affected across just 17 breaches. Nearly all of these came from the breach on the Government Payment Service, Inc. The District of Columbia, California, and Indiana were the only states to have more than 10 million breached records. A further 10 states had more than a million breached records, including Washington, Georgia, Texas, Oregon, Kentucky, Virginia, Illinois, Alabama, Montana, and Arizona.

When looking at the number of government records affected per 100,000 people, DC records a whopping 13.6 million per 100,000 people. However, as many of the breaches in this state affected the entire nation, it wouldn’t be fair to use this in our comparison.

When excluding DC, Indiana records the highest number of records affected per 100,000 people with 216,891 records in total. The only other state to have more than 100,000 records per 100,000 people was Washington with 128,400 records.

Other states with high numbers of records affected per 100,000 people include Montana (98,370), Alaska (85,509), and Georgia (62,582).

Nearly half of all states (22) reported more than 10,000 breached records per 100,000 people.

Government data breaches and records affected by year and state

 TOTAL   2014 2015 2016 2017 2018 2019 2020 2021 2022 (to Oct) 
StateTotal # of BreachesTotal # of Records AffectedState Population# of Records Affected per 100,000 People# of Breaches# of Records Affected# of Breaches# of Records Affected# of Breaches# of Records Affected# of Breaches# of Records Affected# of Breaches# of Records Affected# of Breaches# of Records Affected# of Breaches# of Records Affected# of Breaches# of Records Affected# of Breaches# of Records Affected
Alabama91,412,3325,039,87728,023 23,500001021,393,88900112,7741022,169 00
Alaska10626,498732,67385,509 00000021,5215575111,4021113,0001500,000 00
Arizona91,067,8817,276,31614,676 245,29610102898,87000120012001123,513
Arkansas5653,4223,025,89121,594 0000002623,4180000330,0040000
California1082452922539,237,83662,514 1120,577869,184121,191,435819,203,424183,812,8031263,57511124,0402043,583 8604
Colorado18746,6925,812,06912,847 215,619423,77422,1304621,8950020272,02516,132 15,117
Connecticut864,2273,605,5971,781 227,06400000000237,00011630030
Delaware5348,8311,003,38434,765 0000001236,13400295,623110,0000017,074
District of Columbia4591,228,110670,05013,615,120 85,152,439321,842,000131,072,5794104,2001162,826,8822184,010346,0001000
Florida44956,69721,781,1284,392 34,8316213,62634,876435,506673,5421178,7388485,795359,783 00
Georgia216,758,56710,799,56662,582 434,44746,561,720237,634001038,205352,73224,765 259,064
Hawaii11501,441,5531000000000000011500000
Idaho12968,3461,900,92350,941 00002788,0641170,51723,7881034,46925351973
Illinois261,417,38112,671,46911,186 52,36821,0001200,0002808,17434,13621,0913355,76364,167 240,682
Indiana1714,761,5856,805,985216,891 0011,2620000214,002,64521,28851,5355754,853 22
Iowa1728,1033,193,07988022,90400142523,78924,60048,84046,844270100
Kansas6585,5132,934,58219,952 0000001563,568521,94500000000
Kentucky102,182,5324,509,39448,400 11,0080012,126,449100000554,612101463
Louisiana7327,5354,624,0477,083 000000211,8811000001230,188 385,466
Maine10286,7481,372,24720,896 0010002285,549110019511,0002123
Maryland16305,1166,165,1294,949 412,065312,0491010103278,00213,0002000
Massachusetts40172,9506,984,7232,476 00125921,61422,976139,0001168,28461,3571034,959 724,501
Michigan147,90010,050,8117924,29510001015442020149442,567
Minnesota13207,2395,707,3903,631 150000155,81300393,599427,085430,2420000
Mississippi336,1192,949,9651,224 00000015,220130,7991100000000
Missouri8156,0206,168,1872,529 119,00014,0000015,685313,243001113,579151300
Montana91,086,2751,104,27198,370 21,062,509001185120,00012,96235261930000
Nebraska39,3321,963,6924750000000000100029,332 00
Nevada413,1303,143,9914180000211,70011,4300000100000
New Hampshire1262,3231,388,9924,487 12,70000215,000101211244,523253244
New Jersey16126,8849,267,1301,369 19,4620000240,06111,26342,382250,70234,158 318,856
New Mexico515,9952,115,87775612,6571561112,50000100012770000
New York2161,46719,835,913310240324,5202488143952,078110,253315,003328,283 20
North Carolina16225,82510,551,1622,140 348,75222,57000444,812440,79711,90012,134184,860 00
North Dakota328,038774,9483,618 00000012,45200125,586001000
Ohio27331,10111,780,0172,811 315,27300259,00054,31722,162425,23224136190,666 334,038
Oklahoma22855,0753,986,63921,449 1000004489,3083298,86444,29839,573651,555 11,477
Oregon202,491,5614,246,15558,678 3853,062196711,195,20411,700638,3085362,32010140,000 10
Pennsylvania20585,99012,964,0564,520 00281,463186525173314,79342,262427,3603157,282 11,448
Rhode Island517,9381,095,6101,637 00000026,70000001215,015 16,221
South Carolina1069,9415,190,7051,347 416,561150,0001230001018240022,326 00
South Dakota33,586895,3764010022,21100000011,375000000
Tennessee125,0706,975,2187352,1280011,8001687201024550000
Texas455,958,41629,527,94120,179 52,005,261415,62042,10053,34571,397,000914,71935,4834699,850 41,815,038
Utah235,0003,337,9751,049 00114,00000121,0000000000000
Vermont15283,943645,57043,983 36618033121183,1532010103100,332 00
Virginia181,593,8898,642,27418,443 327,77741,547,58645,051002909312,24900231700
Washington359,936,4537,738,692128,400 26,7500037,435,45239,91544,857417,15661,615,16210250,901 3596,260
West Virginia16,0791,782,9593410000000000000016,079 00
Wisconsin13304,6055,895,9085,166 1843163700204261,6191011,92411,614 237,968
Wyoming1164,021578,80328,338 0000000000001164,0210000
TOTALS822174,963,934909,400,1175830,449,0897114,220,9068526,611,71611683,293,8151181,357,1971073,494,0491163,275,666 612,861,379

The cost of government data breaches by year

According to IBM, the average cost per record involved in a breach in 2022 is $164–a slight increase on 2021’s cost of $161. 2022’s figure is the highest IBM has recorded over the last nine years, with 2017 being the lowest at $141.

Using IBM’s yearly data on the cost per breached records, we’ve been able to estimate how much these breaches have cost government entities.

From the start of 2014 to October 2022, we estimate data breaches have cost US government organizations over $26 billion.

While this figure sounds relatively high for these 822 data breaches, the true costs are likely much higher. This is not just because of all of the other costs involved in a data breach (e.g. recovery costs and ransom payments) but because some figures are unavailable for the number of records involved in these breaches.

As the 2022 IBM study reveals, data breaches within organizations labeled “critical infrastructure,” e.g. the public sector, are often much higher. It found that the average cost of a data breach within this category was $4.82 million–$1 million more than organizations within non-critical infrastructure, e.g. services, hospitality, and entertainment.

The top 5 biggest government data breaches (since 2014)

  1. The US Postal Service, 2018 – 60 million records: A flaw led to the exposure of 60 million users’ account details – something USPS was warned about a year prior.
  2. The Office of Personnel Management, 2015 – 21.5 million records: Hackers stole the information of 21.5 million former and current US government employees.
  3. California Secretary of State, 2017 – 19.2 million records: Voter records for more than 19 million people were available for all to view after a database was left unprotected.
  4. Government Payment Service, Inc., 2018 – 14 million records: GovPayNow.com, which is used by thousands of local and state governments, leaked over 14 million customer records, including names, phone numbers, addresses, and the last four digits of the payer’s card.
  5. Georgia Secretary of State, 2015 – 6 million records: A massive data breach occurred when Brian Kemp’s office released data, including personally identifiable information, to political parties, the media, and other subscribers who buy voter information (legally) from the state.

What type of government entities were most affected from 2019 to Oct 2022

To get a more granular look at how government data breaches have developed in recent years, we’ve explored the number of breaches and records affected by government entity type (due to data being more readily available for these years).

Over 30 percent of the government breaches we found from 2019 to October 2022 affected city/town governments. This was considerably higher than counties that featured in second place with a total of 56 breaches. These were closely followed by law enforcement (53) and departments of health (30).

The 124 breaches on towns/cities affected 806,704 people. The worst breach was in the City of Tucson, Arizona, when the city’s network was compromised in May 2022, affecting 123,513 records.

Other large-scale breaches included:

  • The City of Independence, MO – 2020: 113,579 records were breached after a ransomware attack occurred on city systems.
  • The City of Harrisburg, PA – 2021: 72,000 people’s data was mishandled after a city employee set up an unauthorized Google account to share information relating to COVID-19 exposure.
  • The City of Pensacola, FL – 2019: 60,000 people were affected after a ransomware attack.
  • The Town of Concord, MA – 2019: 108 hard drives containing the personal data of 57,116 people went missing in 2019.

County governments accounted for 14 percent of the total breaches suffered across this time period with 56 in total and 798,334 people affected.

  • Denton County, TX – 2021: 326,417 residents had their personal information exposed, including COVID-19 vaccination information, due to a vulnerability in a third-party app.
  • Cook County, IL – 2020: Criminal domestic violence case information was exposed in a leak– nearly all of the 323,277 records contained at least some personal information.
  • Harris County, TX – 2021: Certain protected health information was inadvertently made accessible on the County’s Justice Administration Department website from March to May (26,000 records).

They were closely followed by law enforcement agencies (13%) with 53 police departments, sheriff’s offices, prisons, and other entities suffering breaches. Some of the largest breaches across law enforcement included:

  • Caddo Parish District Attorney’s Office, LA – 2021: Caddo DA discovered its computers had been infected with malware, which led to 230,188 records being affected.
  • Defense Information Systems Administration, MD – 2019: Personal information of 200,000 people was compromised at the Defense Information Systems Administration. It took nearly a whole year to notify individuals of the breach.
  • U.S. Customs and Border Protection, DC – 2019: 184,000 images including photos of people’s faces and license plates were compromised as part of an attack on a federal subcontractor at a single land border entry point which remained unnamed.

How is 2022 looking for government data breaches so far?

Early on in 2022, breach numbers were high with January experiencing 10 breaches, and February, 12. In total, 2022 has seen 61 government data breaches up until October with 2,861,379 records breached at the time of writing. Even though breaches are lower than in previous years, it is likely the figures we’ve recorded over the past few months will increase as more breaches are publicized.

As we have seen, the records affected are high, too. With the average number of records breached being 71,534, this is a vast increase in the figures we have seen over the last four years. IBM’s 2022 report on the cost of data breaches suggests the figures involved in each breached report are at an all-time high of $164. Based on the reports we’ve found so far, this equates to a cost of more than $469.2 million in breached records for 2022 from January to October alone.

Methodology

Using state reports, government reports, news, press releases, and industry reports, we have collated all of the records of data breaches that have occurred within federal, state, county, and city government and military departments. Where possible, the figures for the breaches have been assigned to the state where records were affected. However, in some cases, the figures will be allocated to the state where the department involved is headquartered. This is due to several states often being affected and a breakdown of figures per state being unavailable.

Furthermore, there may be some instances where the breach occurred in a previous year but wasn’t brought to the attention of the authorities until later on. And not every breach comes with a figure for the number of reports affected (this may be unknown or may be below the threshold imposed by the state). BlueLeaks was logged as one breach due to the wide range of entities (of which there is no exact figure) being affected. It was also logged as “US” as it cannot be pinpointed to a specific state.

Figures for previous years may have changed since our last study due to updated reports with exact breach dates.

Each breach was categorized into one of 24 government organization types, which are as follows:

  • Animals and Food
  • Board of Commissioners
  • Child and Family Services
  • City
  • County
  • Department of Corrections and Rehabilitation
  • Department of Economic Opportunity
  • Department of Education
  • Department of Health
  • Department of Human Services
  • Department of Information Technology
  • Department of Labor
  • Department of Public Works
  • Division of Elections
  • Finance
  • Housing Authority
  • Law Enforcement
  • Other
  • Park District
  • State Bar
  • Town
  • Transportation Authority
  • Utilities
  • Veterans

A handful of breaches may appear in this study and our medical data breach study. This is due to some attacks on government entities, e.g. a Department of Health, affecting medical data. Public hospitals and medical centers (aside from ones run by Veteran Affairs) aren’t included, however.

Data researcher: Charlotte Bond

You can see the full list of sources used in this study here.