The White House’s FISMA Annual Report chronicled no less than eleven “major incidents” which significantly impacted multiple federal agencies last year. In other words, eleven severe government data breaches occurred during 2023 that warrant intensive consideration.
General Cybersecurity Trends in Government
While the most headline-worthy, these are by no means isolated incidents. The report noted a general upward trend in the number of cybersecurity events reported to federal agencies, who attributed much of the rise to “improved detection capabilities at Security Operations Centers (SOCs), additional automation and training, and changes in event and incident tracking methodologies.”
However, the trend is still worth noting. Per the report, nearly ten percent more cybersecurity incidents were reported this year than last, with the grand sum totaling 32,211 in all. They typically fall into one of these categories:
“Improper usage,” or actions violating an agency’s acceptable use policies, accounted for nearly four in ten cases.
“Email/Phishing” was the second most prevalent attack vector at roughly twenty percent and represented the largest increase YoY.
“Other/Unknown” ranks as the third highest culprit, but actually experienced a significant overall decrease from the year before.
The findings would suggest that though “many lack automated enforcement or prevention mechanisms,” agencies have improved their ability to detect security threats and policy violations significantly.
11 Major Government Data Breaches
When security events are reported to a federal agency, they are classified by severity. The National Cyber Incident Scoring System (NCISS) assigns a systemized measurement of risk ranging from Baseline (negligible) to Emergency (all hands-on deck). This year, eleven cases were regarded as “major incidents,” when reported to their respective government agencies:
Department of Health and Human Services (HHS)
PII Lost in Medicare and Medicaid Raid
A ransomware attack hit a third-party system supporting HHS’ Centers for Medicare and Medicaid Services (CMS), exposing the Personally Identifiable Information (PII) of over 2.8 million individuals, including bank account information, addresses, dates of birth, and Medicare beneficiary identifiers.
Zero Days Hit Contractors
Two HHS-hired contractors were hit by a zero-day exploit which led to the possible compromise of 1.88 million individual’s PII in the following areas: Centers for Disease Control and Prevention (CDC), National Institutes of Health, and more. It would seem supply chain attacks are on the rise as both cases reported to HHS involved compromised third-party systems.
Department of the Treasury
IRS Coding Error
An accidental disclosure of the IRS’ 990-T forms (Exempt Organization Business Income Tax Return) resulting in the disclosure of names, email addresses, and phone numbers. The incident was due to a coding error. Application security testing (DAST) can go a long way in discovering those before they prove fatal.
OIG APT
A phishing attack in the Office of the Inspector General (OIG) led to a state-sponsored advanced persistent threat (APT) accessing an employee’s account for over twelve hours, though no vital information was divulged due to defense-in-depth techniques.
Department of Justice
USMS Computer System
A United States Marshals Service’s (USMS) computer system suffered a ransomware attack, losing PII from USMS personnel and legal processes. Concerned parties were notified and the system reconstituted to continue mission operations.
Third-Party Data Analytics Provider
Another private sector third party was behind the breached defenses of systems offering case-specific data analysis support for several U.S. Attorney’s Offices and the Civil Division. The ransomware attack exposed valuable PII and personal/protected health information (PHI), and another third party was called in to handle investigation and response.
Department of the Interior
Payroll Services Configuration Error
As noted in the report, an “authorized developer” modified a security policy in a system operated by the Interior Business Center (IBC). This system provides payroll services to federal agency customers. After the modification, the personnel records of three dozen of those federal agency customers were exposed to a limited number of HR professionals, resulting in roughly 147,000 affected individuals. IBC has since notified individuals and strengthened both processes and training.
In these first seven examples alone, we see several notable themes:
The need to improve government supply chain cybersecurity for federally contracted third parties (consider DARPA compliance)
Ransomware as a commonly successful attack vector against the federal government
Coding and configuration errors leaving room for threat actors to slip through
Cyberattacks against government entities are not new, nor are they letting up any time soon. Attacks like these will be tried again, especially the ones that were successful. The most we can do as an industry to prepare for what is coming next is to spot attacker trends, notice our weak spots, and improve our security strategies with purpose-built solutions so what worked in the past won’t work again.
Make Fortra Your Cybersecurity Ally
Our mission at Fortra is to help organizations increase security maturity while decreasing operational burden. Our vision is a stronger, simpler future for cybersecurity. Who’s with us?
