A recent oversight report detailed that the Defense Department experienced nearly 1,900 breaches of personally identifiable information in 2021 and may need a better system for informing affected individuals.
A frequent target of cyberattacks, the Defense Department has dramatically curtailed the number of cyber incidents it has experienced from a peak of 3,880 in 2015 to 948 last year.
However, a Government Accountability Office report released Monday showed that while cyber intrusions and disruptions are down, data breaches involving personally identifiable information have more than doubled since 2015 to 1,891 reported cases last year.
While the DOD has policies for assessing the risk of a breach that includes the release of personally identifiable information notifying affected individuals, the governmental watchdog said it's unclear whether those policies have been fully implemented.
When a breach occurs, defense officials are supposed to perform a risk assessment of the breach based on the nature and sensitivity of the information in question, likelihood of access to and use of the information and the type of breach.
From there, breaches are reported to the senior component official for privacy within the agency that the intrusion occurred. That official then reports the breach to the DOD Privacy Office's online repository — known as the Compliance and Reporting Tool — and determines whether to notify affected individuals based on the severity of the attack and offer resources like credit monitoring.
But the GAO discovered that out of a random sampling of reported data breaches that occurred between 2017-2020 that the DOD only contacted 18%of individuals designated to be notified of a breach within a 10-day requirement.
Another 15% of cases indicated that "the notification determination was pending," while 30 reported breaches did not fully establish whether a risk assessment had been performed.
In 30 breach cases where reports indicated that DOD had contacted affected individuals, the GAO found that 26 cases did not have documentation confirming a record of the notification.
DOD privacy officials told the watchdog that the department was developing a new breach reporting system that will have a built-in risk assessment module with the goal of deploying it by early fiscal 2023.
Among six GAO recommendations made for improving DOD cyber incident reporting, the watchdog said the Defense Secretary should ensure that the department's components maintain records of when affected individuals are notified of a PII data breach.
DOD officials concurred with the GAO's six recommendations, including maintaining records of individual notifications of a PII data breach.