DATA SECURITY KNOWLEDGE BASE

From U.S. (federal) government agencies to state agencies, cyber attackers have dug up U.S. citizens’ private information through every level of government. But it’s not just hackers that have put Americans’ personal data at risk. Some of the biggest and most significant government data breaches come down to human error: from lost hard drives, misconfigured databases, and physical device theft to simple mistakes that lead to millions upon millions of leaked Social Security numbers, names, addresses, voting affiliations, and other sensitive data. Adding insult to injury, U.S. taxpayers usually end up footing the bill for the aftermath, including years of free identity theft and credit monitoring for the victims.

Listed from smallest to largest in terms of the number of individuals affected, the 10 biggest government data breaches include:

• 10. State of Texas: 3.5 Million Affected (April 2011)
• 9. South Carolina Department of Revenue: 3.6 Million Affected (October 2012)
• 8. Tricare: 4.9 Million Affected (September 2011)
• 7. Georgia Secretary of State Office: 6.2 Million Affected (November 2015)
• 6. Office of the Texas Attorney General: 6.5 Million Affected (April 2012)
• 5. Virginia Department of Health Professions: 8.3 Million Affected (May 2009)
• 4. U.S. Office of Personnel Management (OPM): 21.5 Million (June 2015)
• 3. U.S. Department of Veteran Affairs: 26.5 Million Affected (May 2006)
• 2. National Archives and Records Administration (NARA): 76 Million Affected (October 2009)
• 1. U.S. Voter Database: 191 Million Affected (December 2015)

Let’s take a closer look at the circumstances surrounding these 10 significant government data breaches.

10. State of Texas: 3.5 Million Affected (April 2011)

Image via By LoneStarMike - Own work, CC BY 3.0, Link.

In early 2011, the Texas Comptroller’s Office revealed a breach for 3.5 million Texans’ personal information, including Social Security numbers, dates of birth, and driver’s license numbers. The Comptroller’s mea culpa admitted that the office had inadvertently kept the sensitive information on a publicly accessible state server.

9. South Carolina Department of Revenue: 3.6 Million Affected (October 2012)

Image via Mykal McEldowney, The Greenville, S.C., News.

The South Carolina Department of Revenue suffered a data breach in 2012 that exposed 3.6 million Social Security numbers and 387,000 taxpayers’ credit and debit card numbers when a database server was hacked. The majority of the payment card numbers (371,000) were encrypted, but the sensitivity of the other data exposed prompted South Carolina to offer a year of free credit monitoring and identity theft protection to victims.

8. Tricare: 4.9 Million Affected (September 2011)

Image via liveClinic.

The 2011 Tricare data breach represents an unfortunate crossroads of government and healthcare data breaches: Science Applications International Corporation (SAIC), which oversaw Tricare’s security at the time, announced that data for 4.9 million military hospital and clinic patients had been compromised. The breach exposed personal data, including full names, home addresses, phone numbers, and Social Security numbers.

7. Georgia Secretary of State Office: 6.2 Million Affected (November 2015)

Image via By Connor.carey at English Wikipedia, CC BY-SA 3.0, Link.

In one of the biggest state-government data breaches to date, the George Secretary of State announced in late 2015 that 6.2 million voters’ private information, including Social Security numbers, had been accidentally included in a State Download File, sent to at least 12 groups. The leak, dubbed #PeachBreach, was later blamed on a systems programmer.

6. Office of the Texas Attorney General: 6.5 Million Affected (April 2012)

In early 2012, the Office of the Texas Attorney General mistakenly included sensitive information, including Social Security numbers, in a voter database file released to plaintiff attorneys. It’s estimated that approximately 6.5 million voters were compromised in the accidental information release. According to the Attorney General, the information was never exposed publicly.

5. Virginia Department of Health Professions: 8.3 Million Affected (May 2009)

Image via Virginia Department of Health Professions.

In mid-2009, a hacker reportedly breached a Virginia government health website used by state pharmacists and stole the personal information of 8.3 million Virginians. The hacker later taunted the government and FBI, demanding $10 million for the safe return of the information, which included patient records and prescriptions.

4. U.S. Office of Personnel Management (OPM): 21.5 Million (June 2015)

Image via Wikimedia Commons.

The Office of Personnel Management (OPM) manages the U.S. government’s employment records, both for employees and contractors, as well as certain personal information for civilian federal agencies. In mid-2015, the OPM announced it had discovered two separate (but linked) intrusions that affected an estimated 21.5 million people. Reportedly, the data was not encrypted at the time of the breach.

3. U.S. Department of Veteran Affairs: 26.5 Million Affected (May 2006)

Image via VA.gov.

In May 2006, a laptop containing sensitive VA information was lost. The result: private and sensitive information – names, dates of birth, and Social Security numbers, among other information – for 26.5 million veterans was compromised. Three years later, the VA agreed to pay $20 million to settle a class-action lawsuit – at the taxpayers’ expense, of course.

2. National Archives and Records Administration (NARA): 76 Million Affected (October 2009)

Image David Samuel, User:Hellodavey1902 - Own work, CC BY-SA 3.0, Link

Veterans took another hit in 2009. When a hard drive malfunctioned, the National Archives and Records Administration (NARA) sent it to GMRI, their IT contractor, for repairs. The problem: the hard drive contained the highly sensitive information for a reported 76 million veterans, and NARA forgot to wipe the drive before sending it off-premises.

1. U.S. Voter Database: 191 Million Affected (December 2015)

In the largest government data breach to date, a database of 191 million voters was exposed in late 2015. Again, and almost unfathomably, the problem came down to human error and oversight: the database was incorrectly configured and exposed on the open Internet. It contained the personal information – names, dates of birth, party affiliations, emails, addresses, and more – of all registered voters in the 50 states and the District of Columbia.