Skip to main content

Understanding Data Breaches: Causes, Consequences, and Risks for Government Agencies

concerned woman with credit card

As a government agency leader, priority one is your mission to serve constituents — ensuring fast, convenient service delivery and optimal customer experiences. In fulfilling that mission, you’re also charged with protecting constituent data and reducing fraud, waste and abuse. With the push to enable online access to just about every government program, data breaches pose a growing risk for fraud and cybercrime. They enable criminals to use stolen or fabricated identities to establish legitimate business entities to perpetrate further crimes, submit fraudulent tax returns and steal benefits from legitimate beneficiaries.

Protecting your agency requires the mindset that all constituent identity data may be compromised. To establish trust in digital transactions, it’s important digital identity — the relationships between a constituent’s identity, devices and accounts — be continuously evaluated and verified. This requires an approach that blends fraud detection into digital interactions without causing undue burden or friction. Enabling constituents to apply for business licenses, grants and benefits they need while protecting them and your organization from identity-based fraud is critical to further streamlining operations through digital transformation initiatives.

What is a data breach?

A data breach is a security incident in which sensitive, protected or confidential information is accessed, stolen or exposed by an unauthorized individual or group. This can include personal information (such as names, addresses and Social Security numbers), financial data, health records or classified government information.

How do data breaches happen?

Data breaches can occur through various means, including:

  • Hacking: Cybercriminals exploit vulnerabilities in computer systems or networks to gain unauthorized access
  • Malware: Malicious software is used to infiltrate systems and steal data
  • Phishing: Fraudsters trick employees into revealing login credentials or other sensitive information
  • Insider threats: Employees or contractors with authorized access misuse or steal data
  • Physical theft: Stealing devices containing sensitive information, such as laptops or hard drives
  • Accidental exposure: Unintentional disclosure of data due to human error or misconfigured systems

What's the scale and impact of US data breaches?

Consumers’ personally identifiable information (PII) is a commodity in criminal marketplaces. Data breaches put millions of Americans at increased risk of identity theft and fraud daily. The scope of breach activity makes it a leading indicator of fraud. As exposed PII enters the criminal ecosystem, a few factors can determine the likelihood notable fraud trends will emerge:

  • The volume of PII compromised in the breach
  • The sensitivity of information leaked (e.g., full name or Social Security number)

US data breaches increased 15% year over year (YoY) in 2023 to a volume never seen before — driven by a 38% YoY increase in third-party breaches. In addition, the average breach risk severity (the ability of a breach to enable identity fraud based on the information exposed) as measured by TransUnion® TruEmpower™ Breach Risk Score (BRS) increased 11% YoY to 4.1 in 2023, also the highest ever measured.

Data breaches have become increasingly common and costly. The global average cost of a data breach reached $ 4.88 million in 2023, a 10% increase over 2022, according to IBM Cost of Data Breach Report 2024. US data breaches cost an average of $9.36 million, nearly twice the global average.

According to TransUnion, cybercriminals zeroed in on third-party service providers as the largest data breach vector — surpassing primary breaches for the first time in 2023. Not only were there more third-party beaches, but they were also more severe with an average BRS 24% higher than 2022.

The most frequently exposed information in 2023 data breaches is likely to be used in schemes to target public sector agencies:

  • Full names
  • Date of birth
  • Full Social Security numbers
  • Home address
  • Email address
  • Phone number
  • Medical history
  • Student ID
  • Education (e.g., enrollment and degree records)
  • Driver’s license numbers or state IDs

A single data breach event can have huge fraud impacts for agencies. For example, 2023’s massive MOVEit hack affected more than 1,000 public and private organizations and exposed data on more than 60 million individuals.

What are the impacts and consequences of data breaches on government programs?

Data breach impact on constituents:

  • Identity theft and impersonation — When personal information is compromised, criminals can use it to impersonate individuals or create synthetic identities
  • Scams and authorization fraud — When a constituent responds to fake or spoofed communication (seemingly from a government agency) with the criminal intent of convincing them to volunteer account access or send payments

       These impersonation and fraud attempts can lead to:

o   Fraudulent benefit claims

o   Benefit payment diversion (e.g., Social Security, SNAP, Child Support)

o   Tax refund fraud

Data breach impact on government agencies:

  • Identity theft and impersonation — When personal information is compromised, criminals can use it to impersonate individuals or create synthetic identities. This can lead to:

o   Fraudulent benefit claims (e.g., unemployment, Social Security)

o   False tax returns and refund fraud

o   Unauthorized access to government services

  • Financial fraud — Stolen financial data can be used for:

o   Unauthorized transactions or fund transfers

o   Creation of fraudulent accounts in the agency's name

o   Manipulation of financial records or budget allocations

  • Blackmail and extortion — Sensitive or classified information obtained through a breach can be used to:

o   Blackmail government employees or officials

o   Extort the agency for ransom (as in ransomware attacks)

o   Manipulate policy decisions or contracts

  • Espionage and national security threats — Breaches of classified information can lead to:

o   Foreign intelligence gathering

o   Compromise of military or diplomatic operations

o   Undermining of national security initiatives

  • Reputational damage and loss of trust — While not a direct form of fraud, the loss of public trust following a data breach can:

o   Make citizens more susceptible to impersonation scams

o   Reduce willingness to share information, hampering agency operations

o   Lead to increased scrutiny and potential budget cuts

  • Insider threat amplification — Data breaches can exacerbate insider threat risks by:

o   Providing disgruntled employees with sensitive information to misuse

o   Creating opportunities for collusion between internal and external bad actors

  • Fraud detection compromise — If fraud detection systems or databases are breached, it can lead to:

o   Criminals gaining insight into detection methods

o   Manipulation of fraud risk scores or watchlists

o   Disabling or circumventing fraud prevention measures

How to protect your agency and constituents from the risk of identity fraud?

Identity verification and device proofing is the next layer of proactive control

Industries from government to banking, travel, ecommerce and more have decades of experience using identity verification to ensure users attempting to create or access accounts or make purchases are authorized to do so.

Verifying constituent identities with confidence starts by looking at constituent-provided personal data and comparing it against authoritative and robust data sources. In instances like benefit applications, tax return or business registrations, credit reporting agencies can help confirm personal details like addresses, phone numbers and Social Security numbers. 

But in faceless digital channels, more device data can aide in determining the risk level associated with the device being used to initiate the benefit application or business registration. More diverse sources of public record data can also help identify suspicious and known subjects or high-risk associations between the user and other associates.

Scalable identity and fraud risk solutions fortify trust across the constituent experience

A robust fraud solution will better secure trust across the constituent lifecycle from helping mitigate new registration fraud early in the application cycle to reducing the risk of account takeover (ATO). At each point along that journey, a fraud solution that identifies and helps separate safe from risky interactions can be used to effectively reduce fraud, waste and abuse, helping ensure genuine constituents receive the benefits and services they deserve.

When suspicious activity is identified through digital insights or an identity cannot be verified, minimal step-up challenges can be implemented. As an example, you can request knowledge-based authentication (KBA) or authenticate a user’s identity via a one-time passcode (OTP) sent as a text message to a mobile device.

Unfortunately, it’s relatively simple for fraudsters to hijack one-time passcodes via SIM swap, call forwarding or unauthorized number reassignments. To help ensure one-time passcodes are delivered to constituents and not fraudsters, one may leverage authoritative phone data from direct carrier relationships to promote a higher degree of trust regarding phone ownership when using OTPs.

If a user’s identity still cannot be authenticated, document verification is a natural progression to help more securely and confidently validate constituent-provided data — and reduce the risk of fraud from stolen or synthetic identities.

Identity and device proofing should build trust in digital channels, delivering friction-right constituent experiences

By orchestrating proprietary PII, public record information, device information, fraud solutions can enable trust between business registrars, their states and constituents. The results include: Continued, seamless experiences for good constituents; a reduction in fraudulent registrations and fraud losses; fewer investigative resources and cycles spent fighting fraud; and enhanced, friction-right constituent experiences across channels.

Protect constituents and your agency from compromised identities

Bad actors are increasingly looking to exploit perceived weaknesses in government programs to generate cash flow. Fraudulent tax returns, fulfillment of prescription drugs from falsified medical information, access to subsidy and grant programs, and many other avenues exist for criminals to target entities in the public sector. Data breaches are particularly attractive catalysts for fraud because they potentially allow criminals access to these programs through stolen identities at scale.

Data breach exposure has a direct impact on government agencies’ abilities to serve constituents, deliver benefits effectively, and reduce fraud, waste and abuse. Understanding potential risks like data breaches, identity theft and more can be a first step toward better protecting against future fraudulent activity. Finding robust identity verification solutions to protect omnichannel constituent experience channels is a critical first step.

Learn more about TransUnion identity and fraud solutions.

Do you have questions? Our team is ready to help.