Don’t trust the government?
A recent report by Symantec has some interesting information about data breaches. According to this report, government organizations managed to expose more identities that all other sectors put together. Although they were responsible for only 20 percent of the total number of breaches, they were also responsible for 60 percent of the number of identities exposed.
The financial services industry was responsible for most of the remaining number of identities that were exposed. They were responsible for 14 percent of the total number of breaches and 33 percent of the total number of identities exposed.
According to this report, there are so many compromised identities available to criminals that the law of supply and demand has reduced the street value of a complete identity to as little as $1.
The financial services sector is responsible for so many lost identities because criminals can readily profit from the type information that this sector deals with. Information like account numbers and credit card numbers are valuable to criminals, and because of this they actively target this sector. So although this sector invests heavily in information security, it’s also the best target for hackers. So deliberate attacks add to the number of data breaches caused by lost or stolen equipment.
The large number of identities compromised by government data breaches should not be surprising. Governments, after all, may have information about all of their citizens while commercial entities typically only have information about their customers, which may be only a small subset of the total population. So a data breach at a government organization has the potential to disclose much more sensitive information than a similar breach at a business.
In the case of governments, it’s also fairly easy to understand how large expenditures on information security may not actually correlate to better security. After all, governments tend to have different criteria than other organizations when it comes to purchasing. Government budgets are the result of a political process that reflects many conflicting criteria, only one of which is to provide a high level of security. Other criteria, like buying products from local vendors, buying products from a wide range of vendors or buying from vendors with political influence, are often equally important. And the high level of risk aversion that governments almost always have means that they are often slow to adopt new technologies, even ones that can effectively address security concerns. Because of these factors, it shouldn’t be too surprising that governments often perform in a less than stellar fashion when they need to deal with something that changes as rapidly as the information security threat environment does.
The performance of government organizations in protecting personal information has been so poor that it might be wise to assume that any large database of data that governments have will eventually be compromised, and it seems foolish to trust governments to keep sensitive personal information protected for long, no matter how good their intentions are. P. J. O’Rourke may have summarized this situation best when he said, "A little government and a little luck are necessary in life, but only a fool trusts either of them."
Governments may one day learn to stop the massive losses of personal information that they cause, but don’t expect it to happen any time soon.