Beware of the self-inflicted data breach

keyhole digital

While government agencies invest in protecting themselves from external cyber threats, a Verizon report to be published April 23 warns that many data breaches are self-inflicted.

Of the over 63,000 cyber incidents across public and private industries that Verizon studied for its 2014 Data Breach Investigations Report, more than a quarter were due to miscellaneous errors such as accidental online publishing or sending an email to the wrong recipient. As the country’s largest employer and a gatekeeper of untold amounts of data on employees and constituents, the federal government is prone to sending non-public information to the wrong person, the report found.

Agencies might be aware of the problem “on a micro-scale, but they don’t know how big the problem really is,” said Chris Porter, managing principal of the Verizon Cyber Intelligence Center and co-author of the report.

Installing data loss prevention software and instituting “a blanket prohibition against storing un-redacted documents on a file server that also has a Web server running” are two ways that organizations can guard against unintentional disclosures of sensitive data, the report said.

The number of organizations contributing data to the annual report has risen sharply in the last few years, from five in 2012 to 18 organizations last year, and now 50 organizations in 2014, Porter said. U.S. government and government-related organizations that contributed data this year included the Department of Homeland Security, the Electricity Sector Information Sharing and Analysis Center, and the Secret Service.

Verizon decided to expand the scope of the report significantly this year by including data from cyber “incidents,” or whenever a system was threatened, and not just when an actual theft occurred. As organizations shared their security data for the report, “we realized that they had a lot more data than just confirmed data breaches, and that there was a lot for us to learn from focusing on other types of incidents as well,” Porter added.

There is still a need for detailed studies of how individual cyber breaches occur, he argued. While public disclosure laws often require organizations to tell their customers about a breach, “the one thing that we don’t learn about any of these events is how they happened,” he said.

The National Transportation Safety Board thoroughly investigates every plane crash and delivers a post-mortem report so airlines can avoid the same mistakes, Porter said. Why can’t the security industry be the same way?

About the Author

Sean Lyngaas is an FCW staff writer covering defense, cybersecurity and intelligence issues. Prior to joining FCW, he was a reporter and editor at Smart Grid Today, where he covered everything from cyber vulnerabilities in the U.S. electric grid to the national energy policies of Britain and Mexico. His reporting on a range of global issues has appeared in publications such as The Atlantic, The Economist, The Washington Diplomat and The Washington Post.

Lyngaas is an active member of the National Press Club, where he served as chairman of the Young Members Committee. He earned his M.A. in international affairs from The Fletcher School of Law and Diplomacy at Tufts University, and his B.A. in public policy from Duke University.

Click here for previous articles by Lyngaas, or connect with him on Twitter: @snlyngaas.

FCW in Print

In the latest issue: Looking back on three decades of big stories in federal IT.


  • Anne Rung -- Commerce Department Photo

    Exit interview with Anne Rung

    The government's departing top acquisition official said she leaves behind a solid foundation on which to build more effective and efficient federal IT.

  • Charles Phalen

    Administration appoints first head of NBIB

    The National Background Investigations Bureau announced the appointment of its first director as the agency prepares to take over processing government background checks.

  • Sen. James Lankford (R-Okla.)

    Senator: Rigid hiring process pushes millennials from federal work

    Sen. James Lankford (R-Okla.) said agencies are missing out on younger workers because of the government's rigidity, particularly its protracted hiring process.

  • FCW @ 30 GPS

    FCW @ 30

    Since 1987, FCW has covered it all -- the major contracts, the disruptive technologies, the picayune scandals and the many, many people who make federal IT function. Here's a look back at six of the most significant stories.

  • Shutterstock image.

    A 'minibus' appropriations package could be in the cards

    A short-term funding bill is expected by Sept. 30 to keep the federal government operating through early December, but after that the options get more complicated.

  • Defense Secretary Ash Carter speaks at the TechCrunch Disrupt conference in San Francisco

    DOD launches new tech hub in Austin

    The DOD is opening a new Defense Innovation Unit Experimental office in Austin, Texas, while Congress debates legislation that could defund DIUx.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group