According to the Bureau of Labor Statistics, there are nearly 22 million government employees in the United States; according to the New York Times the U.S. has 1.3 million active-duty troops and 865,000 military members in the reserves. That is over 24 million Americans combined in the U.S. government and military.

The Identity Theft Resource Center’s 2018 End-of-Year Data Breach Report showed 79 data breaches impacting military and government entities, exposing 5,302,846 records. In 2017 those numbers were even higher with 99 breaches that exposed 9,927,798 records. You can learn more by signing up for our ITRC Monthly Breach Newsletter.

While the government/military industry category had fewer breaches in 2018, the ITRC continues to empower identity theft victims – particularly those that are victims of both government agencies and the military breaches – with the resources and tools to resolve their cases. Our mission, since our founding in 1999, is to help people proactively reduce their risk of becoming a victim and to empower them to mitigate their cases if they have become one. Since 2005, the ITRC has recorded over 10,000 publicly notified data breaches. As part of our 10,000 Breaches Later blog series, last week we took a look at the most impactful medical and healthcare data breaches. This week we continue with our latest installment looking at the top five military and government data breaches that impacted U.S. consumers and personal information that was compromised.

Office of Personnel Management (OPM)

For the third time in our 10,000 Breaches Later blog series, OPM makes the list. In June 2015, The U.S. Office of Personnel Management (OPM) suffered two separate hacking events that exposed background investigation records of 21.5 million Federal government employees and contractors. Some of the information impacted was Social Security numbers (SSN), fingerprint/biometric data and security clearance information. It also exposed personally identifiable information (PII) of dependents including SSNs, birth dates and other information. It was a sophisticated, large-scale hacking event that led to the creation of the National Background Investigations Bureau (NBIB). The impact to those Federal employees and their dependents was potentially catastrophic given the amount and sensitivity of the data compromised.

U.S. Military – National Archives and Records Administration

In October 2009, the Inspector General of the National Archives and Records Administration announced a military and government data breach that impacted 76 million U.S. military veterans. The incident involved a defective hard drive that was sent back to its vendor for repair, determined unrepairable and sent to another firm to be recycled. While sent to be recycled, it still contained PII and sensitive PII of veterans. The hard drive helped power eVetRecs, a system used by veterans to request copies of health records and discharge papers. With that type of information available to a fraudster, the potential for government identity theft and benefits fraud could create havoc for a veteran seeking services.

United States Postal Service (USPS)

Right before the holiday season in November of 2018, and weeks after the Secret Service issued an alert that cybercriminals were using the United States Postal Service’s Informed Delivery feature to commit fraud and identity theft, the USPS announced that they had fixed a flaw in their system that exposed the personal information of 60 million users. Any user could login to an usps.com account to query the system for details belonging to other users due to the flaw. Some of the details users could have had access to included email addresses, usernames, user IDs, account numbers, street addresses, phone numbers, authorized users and mailing campaign data. All of that information meant that not only could a thief potentially know what was coming to your mailbox, but they could also pose as the address-owner and have the mail rerouted, creating a huge issue for folks with sensitive mail on the way to them.

Government Payment Service, Inc. (GovPayNow.com)

In September 2018, Government Payment Service, Inc., who is contracted by thousands of government agencies – including Federal, state, regional and local/city/town governments – to process payments related to government fees and fines, announced that their payment portal had exposed 14 million customer records. The online system allowed registered users to access copies of their receipts. However, access was not properly restricted and unauthorized recipients were able to view other user’s receipts by simply changing the digits displayed in the web address. Information that could be viewed on the receipts included names, addresses, phone numbers and the last four digits of payment card numbers. This breach also covered data stretching all the way back to 2012. The payment service released a statement saying they updated their system to ensure that only authorized users could view their individual receipts.

California Secretary of State

The California Secretary of State announced in December 2017 that they were investigating a cyberattack in which hackers stole the data of California voters and held it for ransom payable in Bitcoin. The information accessed included the names, addresses, phone numbers, email addresses, places of birth and gender of 19.2 million voters. According to DarkReading, the Kromtech researchers stated they had not been able to identify the owner of the database and believe it could have been a political action committee or a specific campaign based on the unofficial title of the repository. However, they reiterated that was only a suspicion. Access to voter records can create a treasure trove of information for a fraudster, but it can also provide a wealth of information from state-actors attempting to influence election outcomes. Consumers should be aware of the sensitive nature of voter data and the potential unique identity theft aspects that could come from its exposure.

Coming Up In 10,000 Breaches Later

As we recap military and government data breaches, the ITRC hopes to help those impacted – both as consumers, businesses and government entities – understand how to minimize their risk and mitigate their identity compromises. If you received a data breach notification letter, do not just toss it aside or file it away. Call us at 888.400.5530 or LiveChat to talk with a live-advisor on what you should do. If you are a government or military entity impacted by a data breach incident, please reach out to the ITRC at itrc@idtheftcenter.org to discuss how we can provide assistance to your impacted customers. Every victim of a data breach should download our free ID Theft Help App to track their activities around any given data breach.

As part of this series, in our next 10,000 Breaches Later blog, we will take a look at some of the top banking, credit and financial breaches since 2005. For a look at all of the 10,000 breaches blogs, visit https://www.idtheftcenter.org/10000-data-breaches-blog-series.


You might also like…

“Federal Government Empowerment Money Program” Scam Circulates on Social Media

In New Scam, Criminals Pose as Government Officials Pretending to Help with Identity Theft

10,000 Breaches Later: Top Five Medical and Healthcare Data Breaches