National Association of Attorneys General

National Association of Attorneys General National Association of Attorneys General

A Wake-Up Call: Cyberattacks Intensify on State Databases

We have all seen the headlines about data breaches, with Target and Home Depot being the targets of information thieves. Even those are not the most current; as I write this article, hackers’ attack on JPMorgan Chase affecting 78 million customer accounts was just announced. Unfortunately, state and federal government agencies are not immune to malicious attacks. The Identity Theft Resource Center reports that there have been 64 data breaches compromising 2,748,446 records in the government sector alone in the first three quarters of 2014.1

State government databases, in particular, have been hard hit by cybersecurity incidents. In June 2014, the Montana Department of Public Health and Human Services made the not-so-coveted list of top 10 data breaches for the year when its server, containing the names, addresses, dates of birth and Social Security numbers of 1.3 million people, was hacked. Montana, however, is not a lone victim. Just take a look at this list of other state government data breaches reported year to date.2

Date

State Agency

# Records Exposed

1/6/14

NC Dept of Health & Human Svces

48,752

1/7/14

CA Dept of Public Health

1,376

1/9/14

WY Dept of Health

17,925

1/14/14

NC Dept of Social Svces

Unknown

1/15/14

SC Dept of Employment & Workforce

4,658

1/24/14

WA Dept of Public Health

750

1/24/14

CA Dept of Resources, Recycling & Recovery

Unknown

2/5/14

CT Dept of Labor

27,000

2/12/14

VA Dept of Medical Assistance Svces

25,513

2/24/14

OR Secty of State website

Unknown

3/3/14

MD Developmental Disabilities Admin.

2,200

3/5/14

FL Dept of Health

3,500

3/7/14

IA Dept of Human Svces

2,042

3/22/14

CA Dept of Motor Vehicles

Unknown

4/1/14

CA Dept of Corrections & Rehabilitation

Unknown

4/3/14

MI Dept of Public Health

2,595

4/7/14

CA Dept of Child Support Svces

Unknown

4/12/14

NJ Dept of Human Svces

9,642

4/28/14

IA Dept of Human Svces, Medicaid Enterp.

862

5/29/14

IL Dept of Human Svces

Unknown

6/26/14

AL Dept of Public Health

1,200

7/8/14

CA Dept of Managed Health Care

18,000

8/29/14

CA Dept of Social Svces

Unknown

As illustrated by the above list, state databases are very desirable targets for cyber thieves, due in large part to their remarkable success in providing online access to government services for their citizens. In doing so, states are collecting and storing comprehensive data about their citizens, including educational data, court and law enforcement records, motor vehicle registrations and driver licenses, medical records and property and income tax data – from cradle to grave, so to speak. In addition, cyber thieves often regard state databases as weak targets without strong security procedures.

The National Association of State Chief Information Officers (NASCIO) released its annual cybersecurity study3and concluded it is time for states to move forward in protecting data and citizens. One of the key findings of the study is the disconnect between state agency officials and their information technology (IT) personnel as to the increasing sophistication of cyber criminals and the inherent threats they pose to state assets. “As one CIO put it, ‘Cybersecurity is an inconvenience to most agencies and departments. Clients understand locking one’s house or one’s car. They don’t understand nor want to put the effort into understanding what is required to lock one’s digital assets.’”4

As October has been declared National Cyber Security Awareness Month, it is clear a more extensive cybersecurity awareness effort is needed. While cybersecurity information posted online is helpful, most people don’t search for it unless they have already fallen prey to identity theft or another scam. Further, the emphasis on cybersecurity must come from the top to be effective, and state leadership must prioritize efforts to make citizens’ data secure. When these two measures are taken, states will be in a more favorable position to develop and maintain a comprehensive cybersecurity strategy.

Cybersecurity is not just a matter for the IT department; it is a state business issue that must be addressed to protect the safety and confidence of state citizens.



1 Identity Theft Resource Center Report dated Sept. 30, 2014, http://www.idtheftcenter.org/.

2 Ibid.

3 2014 Deloitte-NASCIO Cybersecurity Study – State Governments at Risk: Time to Move Forward,” October 2014, http://www.nascio.org/publications/.

4 2014 State CIO Survey: Charting the Course,” NASCIO, September 2014, pg. 28, http://www.nascio.org/newsroom/pressrelease.cfm?id=200.

Who's My AG?

Find the attorney general who represents you.

Meetings & Trainings

Stay informed of NAAG meetings and the NAGTRI trainings we offer.

AG Spotlight

Doug Peterson, Nebraska Attorney General

Doug Peterson is the attorney general of Nebraska.