Plain and simple stupidity and negligence caused most of the rest. In 78 of the breach incidents, government employees inadvertently disclosed citizens' private information by posting it on a public website or sending it to the wrong people. Loss of physical, paper documents -- not digital ones -- accounted for another 46 data breaches. In 51 of the cases, government bureaucrats lost our private data by losing track of a portable device such as a laptop, smartphone, hard drive or back-up tape. A few of the breaches took place after these rocket scientists left a device filled with our PII inside an unlocked car.
Of the many screw-ups detailed in this report, that last one is the one that lights my fire. What Neanderthal (with all due respect to the GEICO cavemen) leaves a laptop sitting in the back of an unlocked car -- especially a laptop containing the private records of thousands of citizens? What form of bureaucratic insanity allows this to keep happening, over and over and over again?
While the Rapid7 report phrases its description in less incendiary terms, the facts are still damning: "Government agencies are facing an increase in data breaches as a result of cyber attacks, weaknesses in federal information security controls, and poor best practices for protecting data on portable devices."
"Poor best practices," indeed.
Meanwhile, other branches of government are busy exacerbating the problem. Based on all the grandstanding by Republican officials about the need to rein in an unaccountable federal bureaucracy and get tough on national security, I expected GOP lawmakers to quickly pass the 2012 Cybersecurity bill, which would have required all organizations that run the nation's critical infrastructure (think nuclear power plants, water supply systems and roads) to meet certain basic standards that would help defend them against hacker attacks. But Republicans were so myopically focused on preventing President Obama from achieving even the slightest legislative victory in this do-or-die election year that they almost unanimously opposed the bill, even after the Democrats caved entirely by offering to make the bill's provisions voluntary.
[Related Article: Congress' Profound Failure on Cybersecurity (And Why You Should Care)]
How are we ever going to convince government agencies to take information security seriously when their own bosses in Congress treat our data and our most valuable infrastructure like just another pawn in a never-ending chess match for power?
Here's the bottom line. We hear a lot of genuine, well-grounded concern about the growing number and sophistication of hacker attacks. But based on the information contained in this report, while hackers are partially to blame, the sad truth is that our own government's security policies -- or lack thereof -- have put us all at risk.
Too many bureaucrats are losing track of too much of our data, and their oops! moments are being magnified by civil servants who consistently fail to implement the necessary access controls, encryption, physical security, and performance audits required to comply with the law and keep citizens' private data private, according to a recent study by the Government Accountability Office.