The Cost Of Government Breaches

Can you trust the US Government with your data?

In 2018 and 2019, the number of government breaches hit an all-time high with 116 and 118 breaches respectively. In 2020, breaches decreased to 107 before increasing again to 116 in 2021. So far this year, there have been 61 data breaches affecting 2.9 million people.

The amount of records affected during these data breaches has reduced significantly in the last few years. 2018 saw a colossal 83 million breached records. They mainly stemmed from one breach on the US Postal Service, affecting 60 million records. In 2019, this figure dropped to 1.4 million before hovering around the 3 million mark for the next three years.

Over the last four years, the average number of records involved per government data breach has increased. From 17,400 in 2019 to 42,097 in 2020 and 40,440 in 2021, the average number of records affected per breach in 2022 currently stands at 71,534. While the frequency of attacks may have declined, the impact of individual attacks has increased. The true extent of breaches often isn’t felt for months, if not years, so the average number of records affected per breach for this year could increase even further yet.

So, what are these data breaches costing the government, how have government breaches developed over time, and what trends have we seen in recent years?

Comparitech’s team of researchers has collated information on government data breaches dating back as far as 2014. They’ve searched through state data breach reports, federal reports, news, press releases, and industry reports to create an extensive list of breaches that have affected government agencies across the United States.

Key Findings

From 2014 to October 2022:

• 822 government entities suffered data breaches
• 174,963,934 records were affected because of these breaches
• The cost of these affected records was $26 billion
• 2019 was the biggest year for breaches with 118 in total, followed closely by 2018 and 2021–both with 116
• 2018 had the highest number of records affected– 83,293,815 in total
• California had the most breaches overall (108) and the District of Columbia had the highest number of records affected overall (91.2 million). DC’s vast number of affected records stems from many government offices being based here
• The most common type of breach was hacking with 256 breaches. Those involving inadvertent disclosure were the second-largest breach type with 192 breaches
• Cities/towns were the most-affected government entity type from 2019 to Oct 2022 with 124 breached, while counties were breached 56 times during the same time period

The Cost Of Government Data Breaches By Year

According to IBM, the average cost per record involved in a breach in 2022 is $164–a slight increase on 2021’s cost of $161. 2022’s figure is the highest IBM has recorded over the last nine years, with 2017 being the lowest at $141.

Using IBM’s yearly data on the cost per breached records, Comparitech has been able to estimate how much these breaches have cost government entities.

From the start of 2014 to October 2022, they estimate data breaches have cost US government organizations over $26 billion.

While this figure sounds relatively high for these 822 data breaches, the true costs are likely much higher. This is not just because of all of the other costs involved in a data breach (e.g. recovery costs and ransom payments) but because some figures are unavailable for the number of records involved in these breaches.

As the 2022 IBM study reveals, data breaches within organizations labeled “critical infrastructure,” e.g. the public sector, are often much higher. It found that the average cost of a data breach within this category was $4.82 million–$1 million more than organizations within non-critical infrastructure, e.g. services, hospitality, and entertainment.

The Top 5 Biggest Government Data Breaches (Since 2014)

1.) The US Postal Service, 2018 – 60 million records: A flaw led to the exposure of 60 million users’ account details – something USPS was warned about a year prior.

2.) The Office of Personnel Management, 2015 – 21.5 million records: Hackers stole the information of 21.5 million former and current US government employees.

3.) California Secretary of State, 2017 – 19.2 million records: Voter records for more than 19 million people were available for all to view after a database was left unprotected.

4.) Government Payment Service, Inc., 2018 – 14 million records: GovPayNow.com, which is used by thousands of local and state governments, leaked over 14 million customer records, including names, phone numbers, addresses, and the last four digits of the payer’s card.

5.) Georgia Secretary of State, 2015 – 6 million records: A massive data breach occurred when Brian Kemp’s office released data, including personally identifiable information, to political parties, the media, and other subscribers who buy voter information (legally) from the state.

How Is 2022 Looking For Government Data Breaches So Far?

Early on in 2022, breach numbers were high with January experiencing 10 breaches, and February, 12. In total, 2022 has seen 61 government data breaches up until October with 2,861,379 records breached at the time of writing. Even though breaches are lower than in previous years, it is likely the figures Comparitech has recorded over the past few months will increase as more breaches are publicized.

As we have seen, the records affected are high, too. With the average number of records breached being 71,534, this is a vast increase in the figures we have seen over the last four years. IBM’s 2022 report on the cost of data breaches suggests the figures involved in each breached report are at an all-time high of $164. Based on the reports Comparitech found so far, this equates to a cost of more than $469.2 million in breached records for 2022 from January to October alone.

Methodology

Using state reports, government reports, news, press releases, and industry reports, we have collated all of the records of data breaches that have occurred within federal, state, county, and city government and military departments. Where possible, the figures for the breaches have been assigned to the state where records were affected. However, in some cases, the figures will be allocated to the state where the department involved is headquartered. This is due to several states often being affected and a breakdown of figures per state being unavailable.

Furthermore, there may be some instances where the breach occurred in a previous year but wasn’t brought to the attention of the authorities until later on. And not every breach comes with a figure for the number of reports affected (this may be unknown or may be below the threshold imposed by the state). BlueLeaks was logged as one breach due to the wide range of entities (of which there is no exact figure) being affected. It was also logged as “US” as it cannot be pinpointed to a specific state.

Figures for previous years may have changed since our last study due to updated reports with exact breach dates.