Hacked Agencies are Inconsistent in Alerting Victims

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.nextgov.com/cybersecurity/2014/01/hacked-agencies-are-inconsistent-about-alerting-potential-victims/76502/

Agencies are not in synch when it comes to notifying victims of hacks,
which might be impairing the government’s ability to protect affected
federal employees and citizens from predators, according to a new federal
audit.

The number of reported government data breaches that compromised personal
information spiked 42 percent between fiscal years 2011 and 2012,
increasing from 15,584 cases to 22,156 cases, Government Accountability
officials report.

While the rate of reported hacks has grown, improvement in responding to
those hacks has not, according to their audit, which was released on
Wednesday.

Within eight agencies examined, "implementation of breach response policies
and procedures was not consistent," the report stated, adding that
consequently, "these agencies may not be taking corrective actions
consistently to limit the risk to individuals from [personal
information]-related data breach incidents."

For example, the Internal Revenue Service and Federal Retirement Thrift
Investment Board did not factor in the number of individuals affected to
calculate the likely risk of harm and level of impact of each incident.

And at the Centers for Medicare and Medicaid Services -- which oversees
HealthCare.gov, the Veterans Affairs Department, Federal Deposit Insurance
Corporation and Federal Reserve Board, "we found that the agencies did not
always document the number of affected individuals for each case," the
study stated.

"While it may not be possible for an agency to determine the exact number
of affected individuals in every case, an estimate of the number of
affected individuals is important in determining the overall impact of a
data breach,” the study added.

The review examined several past high-profile breaches at various agencies.
“Most notably," according to GAO, was the theft of VA computer equipment
containing personal information on about 26.5 million veterans and active
duty members. Auditors also looked at the 2011 hack of a computer
containing the Social Security numbers of 123,000 federal employee
retirement plan participants.

Wednesday's report does not address some of the most recent major
incidents, such as the Energy Department's sluggish response to a July 2013
breach that ultimately affected 104,000 federal employees and the 2011
theft of backup computer tapes containing sensitive health information of
4.9 million Military Health Care System TRICARE beneficiaries.

The audit partly blames the uneven incident response on incomplete guidance
from the Office of Management and Budget. After reading a draft report, OMB
officials asked GAO to specify what extra instructions agencies need. In
the final report, the auditors recommended that OMB provide directions on
notifying victims based on a hack’s risk-level, as well as criteria for
determining whether to offer individuals assistance, such as credit
monitoring.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.