The Weekly Breach Breakdown Podcast by ITRC - Disarmed Services - S3E32

Show Transcript

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for November 18, 2022. Each week, we look at the most recent events and trends related to data security and privacy. This week, we review the data breach trends in a very important sector of our economy and society. We break down new information around military data breaches.

The ITRC, like most other organizations that track cyberattacks and data breaches, uses the same method to categorize the organizations that are attacked. Known as Standard Industrial Classification (SIC) codes, they are assigned by the U.S. government to organize companies and industries by their business activities. They include classifications such as Manufacturing, Transportation and Public Utilities, Finance, and Military.

For the past several years, the ITRC and other non-government organizations that rely on public data breach notices to compile statistics have reported ZERO data compromises involving service members' personal information. Here at the ITRC, we are generally skeptical that the actual number of data breaches are being reported as required by law. However, no military data breaches impacting members since the Office of Personnel Management (OPM) breach of 2014 seemed too good to be true.

GAO Report Shows Military Data Breaches Involving PII

Now, the Government Accountability Office (GAO) has agreed in a report published this week that says there were 1,891 data breaches in 2021 that involved the personally identifiable information (PII) of service members or civilian contractors working for the Department of Defense (DOD). By comparison, the ITRC reported a record-high number of breaches in all sectors during 2021 – 1,862 data compromises.

To state the obvious, the GAO figure is more than all non-military data compromises in 2021 – combined. The GAO goes on to note the DOD has established a process for determining whether to notify individuals of a breach of their PII. This process includes conducting a risk assessment that considers three factors—the nature and sensitivity of the PII, the likelihood of access to and use of the PII, and the type of breach. 

No Documentation of Victims Impacted by Military Data Breaches

However, the DOD has not consistently documented the notifications of people impacted by the military data breaches because officials say notifications are often made verbally or by email, and no record is retained. The GAO warns that without documenting the notification, the DOD cannot verify that people were informed about a breach. 

Good News from the GAO Report

There are two bits of good news. The number of cyber incidents tracked by the Pentagon has dropped steadily since 2015 because of successful defense efforts. Also, there are plans to implement a new system in 2023 to track and alert military members of any PII compromise. 

Contact the ITRC

If you want to learn how to protect your personal or business information or think you have been the victim of an identity crime or compromise, visit our website www.idtheftcenter.org. You can also speak with an expert advisor on the phone (888.400.5530), chat live on the web, or exchange emails during our normal business hours (Monday-Friday, 6 a.m.-5 p.m. PST). 

Be sure to listen to our sister podcast, the Fraudian Slip. On our final episode of the year on December 9, we will discuss our predictions for 2023. Next week is Thanksgiving, so we’ll be celebrating the holiday with our families and friends. From all of us at the ITRC, we are thankful for you, our loyal followers, and we hope you enjoy a safe and happy holiday. We’ll see you in two weeks with another episode of the Weekly Breach Breakdown.