Report: Data loss widespread at government agencies

Computerworld - Loss of personal data at U.S. government agencies is all too common, according to a report released by the House Government Reform Committee (download PDF).

According to the report, which was released Friday, 19 federal agencies have reported at least one loss of personally identifiable information since January 2003. In addition, those agencies don't always know what information has been lost or how many people could be affected because they aren't tracking those losses, the report said.

"For example, the Department of Justice reports that, prior to the May 2006 Veterans Administration data breach, 'the department did not track the content of lost, stolen, or otherwise compromised devices,' " the report stated.

Only a small number of the data breaches were caused by hackers breaking into computer systems, the report said. Most of the data losses stemmed from the theft of laptops, drives and disks, as well as unauthorized use of the information by employees, the report said. Contractors were also responsible for many of the reported breaches, the report said.

The Department of Agriculture told the committee that it had had eight incidents involving the loss or compromise of sensitive personal information since Jan. 1, 2003.

Those incidents include an e-mail that was sent to 1,537 people on Dec. 17, 2004, that contained, as an attachment, a database containing the Social Security numbers and other personal information of those 1,537 individuals. In response to the incident, the department sent a letter of apology to all of the individuals involved and developed additional security training.

On Feb. 24, 2005, a system containing research data was compromised by someone cracking a password or a user account and installing hacking software, the report said. The department said no information was compromised, but the intruder had read/write access to the server and was able to open access points. In response, the department disabled the log-in account that was cracked and limited access to the building.

The Department of Commerce reported 297 incidents involving the loss or compromise of personal information, the report said. The department said 217 laptops containing sensitive data have been lost, stolen or misplaced. In a separate briefing, the department told members of Congress that since 2001, 1,137 laptops have been stolen, lost or reported missing, according to the report. There is no indication of what steps the department has taken to prevent similar incidents.

The Department of Defense said it had 43 incidents involving the loss or compromise of personal data. For example, on April 5, the department said hackers stole data from its Tricare Management Activity system, including personal data on approximately 14,000 active duty and retired service members and dependents, according to the report. In response to the incident, affected members were notified and new security measures were implemented.