In fiscal year 2023, US government agencies reported 11 major information security incidents to the Office of Management and Budget (OMB). These incidents, caused by poor patch management, unsupported systems, and inadequate authentication controls, highlight the vulnerabilities within federal systems. Despite significant efforts to strengthen cybersecurity defenses, these breaches exposed critical data and disrupted operations across various agencies. This article delves into each of these incidents, examining the factors that led to them and the measures taken in response.

Overview of 2023 Cybersecurity Incidents

The OMB report for fiscal year 2023 documented 32,211 information security incidents, a nearly 10% increase from the previous year’s 29,319 incidents. Among these, 11 were classified as major incidents, demonstrating the scale and severity of the cybersecurity challenges faced by federal agencies. The most common attack vectors were “improper usage” and “email/phishing,” accounting for 12,261 and 6,198 incidents respectively.

Incident 1: CMS Ransomware Attack

The first major incident involved a ransomware attack targeting network file shares on a system operated by a contractor for the Centers for Medicare and Medicaid Services (CMS). This breach exposed personal data for 2.8 million individuals, including 1.3 million deceased. The compromised information included names, addresses, dates of birth, Medicare identifiers, and bank details. In response, CMS moved the systems in-house and offered victims free credit monitoring. This incident underscores the risks associated with third-party contractors and the importance of stringent security measures in safeguarding sensitive data.

Incident 2: HHS Contractor Vulnerability

Another significant breach involved the Department of Health and Human Services (HHS), where attackers exploited a zero-day vulnerability to access systems containing HHS data. Although there was no direct compromise of HHS systems, the breach potentially exposed the personal information of 1.88 million individuals held for agencies such as the Centers for Disease Control and Prevention (CDC), the National Institutes of Health (NIH), and CMS. The exposed data included names, social security numbers, email addresses, phone numbers, dates of birth, medical diagnoses, and other sensitive information. This incident highlights the need for continuous monitoring and updating of contractor systems to mitigate vulnerabilities.

Incident 3: US Marshals Service Ransomware

In February 2023, the United States Marshals Service (USMS) was hit by a ransomware attack that compromised personal information on staff and individuals involved in legal processes. The USMS had to rebuild its system and restore data from backups. Affected individuals were notified and offered free credit monitoring. This incident illustrates the critical need for robust backup and disaster recovery plans to ensure data integrity and continuity of operations.

Incident 4: Department of Justice Vendor Attack

A ransomware attack in May 2023 targeted systems at a vendor providing data analytics support for the Department of Justice’s Civil Division and some US Attorneys’ offices. This attack compromised personal and medical data, prompting the deployment of third-party incident response services to investigate and mitigate the breach. Individuals affected were offered credit monitoring services. The incident underscores the importance of vendor security assessments and continuous monitoring to prevent such breaches.

Incident 5: IRS Data Exposure

The Internal Revenue Service (IRS) inadvertently exposed personal information that had already been exposed in the previous fiscal year. A coding error led to the publication of 501(c) organizations’ Exempt Organization Business Income Tax Return (990-T) forms. Although the data was promptly removed, it was inadvertently published again from a staging server. This recurring issue highlights the need for rigorous data handling and validation processes to prevent unintentional disclosures.

Incident 6: Treasury Department OIG Credential Compromise

A significant breach involved a bad actor gaining access to the login credentials of an employee at the Office of the Inspector General (OIG) for 15 hours. Although the actor was unable to access any information or introduce malware, the incident prompted the Treasury Department to update its multi-factor authentication policies and conduct awareness training for staff. This breach highlights the importance of strong authentication controls and regular security training to prevent credential compromises.

Incident 7: OPM Zero-Day Vulnerability

The US Office of Personnel Management (OPM) reported a major incident involving a zero-day vulnerability in a file transfer application used by a contractor supporting the Federal Employee Viewpoint Survey (FEVS). This breach compromised email addresses, unique survey links, and tracking codes for about 632,000 employees. In response, OPM ceased data transfers to the contractor and deactivated survey links. This incident underscores the need for timely patching and monitoring of third-party applications to prevent similar breaches.

Incident 8: CFPB Data Exfiltration

A former employee of the Consumer Financial Protection Bureau (CFPB) sent 14 emails containing personal information and spreadsheets with details of around 256,000 customers to their personal email account. The data included names and financial details, though it was assessed as not being usable for identity theft. The CFPB strengthened its technical controls and reminded staff of privacy policies to prevent future incidents. This case highlights the risks of insider threats and the need for stringent data handling policies.

Incident 9: TRANServe Data Breach

Attackers breached administrative systems of the TRANServe initiative, affecting approximately 237,000 federal employees. The breach exploited an unpatched critical vulnerability in a web application platform, resulting in the theft of names, addresses, and partial social security numbers. The Department of Transportation rebuilt the affected servers and offered credit monitoring services to the affected employees. This incident highlights the critical need for timely vulnerability management and patching practices.

Incident 10: Interior Department Data Exposure

A developer at the Interior Department’s Interior Business Center (IBC) modified a payroll system’s security policy, inadvertently allowing HR personnel to view employee records from 36 federal agencies. This exposed the personal data of around 147,000 individuals. An investigation revealed the lack of a privacy impact assessment, prompting the IBC to strengthen internal processes and training. This incident underscores the importance of conducting privacy impact assessments following system changes to prevent unauthorized data access.

Incident 11: DOE Ransomware Attack

The Department of Energy (DOE) reported a ransomware attack exploiting a zero-day vulnerability in a file transfer product used by the Waste Isolation Pilot Plant (WIPP) and Oak Ridge Associated Universities (ORAU). The attack potentially exposed the data of 34,000 individuals in a health monitoring program and 66,000 individuals from the Office of Science. The compromised data included names, birthdates, social security numbers, and health information. Affected individuals were notified and provided with identity monitoring services. This incident highlights the ongoing threat posed by ransomware and the importance of robust security measures to protect sensitive data.

Improving Cybersecurity Measures

Despite the increase in security incidents, the OMB audit noted improvements in agencies’ adoption of cyber defensive measures. Every agency selected an enterprise Endpoint Detection and Response (EDR) platform as per OMB directives and expanded their cyber detection capabilities. As a result, 96% of federal civilian executive branch agencies reported an increase in the “detect” category in fiscal year 2023 compared to the previous year. This demonstrates the ongoing efforts to strengthen cybersecurity defenses across federal agencies.

Key Takeaways and Recommendations

The incidents in 2023 highlight several key areas where federal agencies can improve their cybersecurity posture:

1. Strengthening Third-Party Risk Management: Federal agencies must implement stringent security measures and continuous monitoring for third-party contractors to mitigate risks associated with outsourced systems and services.

2. Enhancing Patch Management and Vulnerability Mitigation: Timely patching of vulnerabilities and proactive vulnerability management are critical to preventing breaches caused by unpatched systems.

3. Implementing Robust Authentication Controls: Multi-factor authentication (MFA) and strong password policies are essential to prevent credential compromises and unauthorized access.

4. Conducting Regular Security Training and Awareness: Continuous security training and awareness programs for employees can help prevent insider threats and reduce the risk of human error leading to breaches.

5. Improving Data Handling and Privacy Practices: Rigorous data handling and privacy practices, including conducting privacy impact assessments and validating data handling processes, are essential to prevent unintentional data exposures.

6. Enhancing Incident Response and Recovery Capabilities: Developing and testing robust incident response and recovery plans can help agencies respond quickly and effectively to breaches, minimizing their impact.

Conclusion

The cybersecurity incidents reported by US government agencies in 2023 underscore the ongoing challenges and risks in managing and protecting sensitive data. While significant improvements have been made in adopting cyber defensive measures, there is still a need for continuous vigilance and proactive measures to address vulnerabilities and mitigate risks. By strengthening third-party risk management, enhancing patch management, implementing robust authentication controls, conducting regular security training, improving data handling practices, and enhancing incident response capabilities, federal agencies can better protect their systems and data from future threats. The lessons learned from these incidents can help guide future efforts to build a more secure and resilient federal cybersecurity posture.