The personal information of millions of Americans is at risk because branches of government have failed to implement basic defences against cyber-attacks, according to a Senate committee report.

Eight departments, including Homeland Security and the State Department, rely on outdated systems, ignore mandatory security patches and fail to protect sensitive data such as names, date of birth, income, social security numbers and credit card numbers, the permanent sub-committee on investigations of the senate homeland security committee found.

The publication comes after a spate of high-profile cyber-attacks in recent months such as on Colonial Pipeline, meat supplier JBS, and software suppliers SolarWinds and Accellion.

In 2020, the White House reported 30,819 information security incidents across government, up 8% on 2019.

Among weaknesses highlighted by the sub-committee’s report were:

  • an unauthorised shadow IT system on the Department of Housing and Urban Development network which existed without approval;
  • the State Department unable to provide documents accounting for 60% of employees who had access to its classified network, and “thousands of accounts [left] active after an employee left the agency for extended periods of time on both its classified and unclassified networks”; and\
  • no record of nearly 15,000 mobile devices, servers and 2,880 workstations owned by the Department of Transportation.

“All agencies failed to comply with statutory requirements to certify to Congress they have implemented certain key cyber security requirements including encryption of sensitive data, least privilege and multi-factor authentication,” broadcaster CBS quoted the sub-committee’s report as saying.

“From SolarWinds to recent ransomware attacks against critical infrastructure, it’s clear that cyber-attacks are going to keep coming,” said Senator Rob Portman.

“It is unacceptable that our own federal agencies are not doing everything possible to safeguard America’s data … a failure that leaves national security and sensitive personal information open to theft and damage by increasingly sophisticated hackers.”


PrivSec Global is back for another 2 information-packed days, featuring a series of brand new topics and themes. Register now and hear industry experts discuss Global Data Protection and Privacy Law Developments.