11 times the US government got hacked in 2023

In fiscal year 2023, US government agencies reported 11 major information security incidents to the Office of Management and Budget (OMB), highlighting significant vulnerabilities in federal systems. Poor patch management, unsupported systems, and inadequate authentication controls were identified as key factors in these breaches.

During this 12-month period, federal agencies reported 32,211 information security incidents, nearly a 10% increase from the 29,319 incidents in fiscal year 2022. The OMB's report, complying with the 2014 Federal Information Security Modernization Act and the 2015 Cybersecurity Act, pinpointed “improper usage” and “email/phishing” as the most prevalent attack vectors, with 12,261 and 6,198 incidents respectively.

While not all incidents had severe consequences, the OMB categorized 11 as “major”. Here are the details of these significant breaches:

1. CMS Contractor Ransomware Attack: A ransomware attack targeted network file shares of a contractor for the Centers for Medicare and Medicaid Services (CMS), exposing personal data of 2.8 million individuals, including 1.3 million deceased. Compromised information included names, addresses, dates of birth, Medicare identifiers, and bank details. CMS moved the systems in-house and provided free credit monitoring to the affected individuals.
2. HHS Contractors Compromised: Attackers exploited a zero-day vulnerability to access systems of two contractors handling Health and Human Services (HHS) data, potentially exposing the personal information of 1.88 million individuals. The breach affected data from agencies like the Centers for Disease Control and Prevention, the National Institutes of Health, and CMS.
3. US Marshals Service Ransomware: In February 2023, ransomware hit the US Marshals Service (USMS), compromising personal information of staff and legal process participants. USMS built a new system and restored from backup, notifying and offering credit monitoring to affected individuals.
4. DOJ Vendor Ransomware: A May 2023 ransomware attack on a vendor providing data analytics support to the Department of Justice’s Civil Division compromised personal and medical data. An incident response service investigated and individuals were offered credit monitoring.
5. IRS Data Exposure: The IRS inadvertently re-exposed personal information through a contractor error involving 501(c) organization tax forms. Despite prompt removal from public access, the data had been publicly accessible from a staging server.
6. Treasury OIG Credential Compromise: A nation-state actor accessed the login credentials of an Office of the Inspector General (OIG) employee for 15 hours. Although no information was accessed or malware introduced, the Treasury Department updated its multi-factor authentication policies and conducted staff training.
7. OPM Zero-Day Vulnerability: The Office of Personnel Management (OPM) reported a breach involving a zero-day vulnerability in a file transfer application used by a contractor for the Federal Employee Viewpoint Survey (FEVS). The breach affected data for about 632,000 employees, including government email addresses and survey links.
8. CFPB Data Breach: A former Consumer Financial Protection Bureau (CFPB) employee sent 14 emails containing personal information and spreadsheets with details of approximately 256,000 customers to their personal email account. The CFPB strengthened technical controls and reminded staff of privacy policies.
9. TRANServe Data Breach: Attackers exploited an unpatched vulnerability in the Parking and Transit Benefit System (PTBS), affecting approximately 237,000 federal employees. The Department of Transportation rebuilt affected servers and offered credit monitoring services.
10. Interior Department Payroll System Error: A modification to a payroll system’s security policy by an Interior Department developer inadvertently exposed personal data of about 147,000 individuals. The department strengthened internal processes and training.
11. Department of Energy Ransomware Attack: A ransomware group exploited a zero-day vulnerability in a secure file transfer product used by the Waste Isolation Pilot Plant (WIPP) and Oak Ridge Associated Universities (ORAU), potentially compromising data of 34,000 individuals in a health monitoring program and 66,000 individuals from the Office of Science.

Despite the increase in security incidents, the OMB report noted improvements in cybersecurity defenses. Agencies adopted enterprise Endpoint Detection and Response (EDR) platforms and expanded cyber detection capabilities, leading to 96% of federal civilian executive branch agencies reporting an increase in the "detect" category compared to the previous year.

FOR REFERENCE : https://www.csoonline.com/article/2145769/11-times-the-us-government-got-hacked-in-2023.html