Federal Agencies Hacked 31,000 Times in 2016

March 10, 2017 Updated: October 5, 2018

Federal agencies faced almost 31,000 “cyber incidents” in fiscal 2016 that led to “compromise of information or system functionality,” the Office of Management and Budget stated in its annual cyber security report to the Congress.

“Sixteen of these incidents met the threshold for a major incident, a designation that triggers a series of mandatory steps for agencies, including reporting certain information to Congress,” the report stated.

Major Incidents

Department of Commerce – In December 2015, the United States Patent and Trademark Office headquarters experienced a major power outage, which resulted in damaged equipment that required the subsequent shutdown of many systems. “There were no reports of data breaches during the outage, indicating there were no external or internal threats, and no Controlled Unclassified Information was compromised,” the report stated.

Department of Health and Human Services – The department reported one major incident in 2016, which involved the potential compromise of personally identifiable information. The department reported the incident in September 2016. The report didn’t provide details about the hack.

Department of Housing and Urban Development – The HUD department reported two major incidents in 2016. The first was uncovered in August, when a member of the public notified the agency that personally identifiable information, including Social Security numbers, were accessible via Google search. The second incident included two separate instances in September involving public HUD websites displaying personally identifiable information related to HUD-assisted public housing. “HUD is working to provide affected individuals with credit monitoring solutions,” the report stated.

Department of the Treasury – Treasury reported two major incidents in FY 2016. It detected one incident in January 2016 at the Internal Revenue Service (IRS). Treasury determined that an attacker was attempting to fraudulently generate PIN numbers for electronic tax filing based on taxpayer information stolen from non-IRS sources. “Treasury offered affected individuals an identity protection PIN to protect against fraudulent returns in 2017,” the report stated.

Treasury detected another incident in September 2016, when a retiring Office of the Comptroller of the Currency employee downloaded a large volume of files to two thumb drives. “Treasury has indicated that there is no evidence that the individual disclosed information, as the agency had previously encrypted the data,” the report stated.

Federal Deposit Insurance Corporation – The agency reported 10 major incidents in 2016, which generally stemmed from employees taking personally identifiable information or other sensitive information on removable media “in an unauthorized fashion,” the report stated. In response to these incidents, the agency put in practice a measure that would prevent users, with some exceptions, from downloading data to removable media. The agency is also offering credit monitoring to affected people.

Major incidents are defined as “any incident that is likely to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people,” the report stated.

On the other hand, “Federal agencies made considerable progress in strengthening their defenses and enhancing their workforces to combat cyber threats,” the report stated. The progress includes expanded use of ID cards to access Federal networks and employing “strong antiphishing and malware capabilities.”

Follow Petr on Twitter: @petrsvab