75% of US government websites experienced data breaches

A new report reveals that 75% of US government departments and agency websites have suffered data breaches.

New research from the Business Digital Index reveals that 53.7% of US government departments and agencies scored D or worse for their cybersecurity efforts, with 38.8% falling into the F category. 75% have been affected by data breaches, almost 54% have had corporate credentials stolen, and 27% have employees reusing compromised passwords.

Failing the cybersecurity exam

According to the index, which grades businesses and various institutions based on their online security measures, using available data from external sources, 53.7% of US government departments and agencies scored D or worse for their cybersecurity efforts, with 38.8% falling into the F category.

Just 22% of them earned an A rating. 10.2% of analyzed government departments and agencies earned a B rating and showed low risk. Meanwhile, 14.3% with a C grade have moderate risk.

Nevertheless, the US government departments and agencies received an average security score of 75 out of 100. According to the index methodology, the overall calculated value from 70 to 79 is considered high risk. Based on this, it can be predicted that American data is at high risk.

Common security issues

Researchers found that the top three issues across industries are secure sockets layer (SSL/TLS) configuration, data breaches, and system hosting issues.

The Business Digital Index shows that the most common security issue is related to SSL/TLS configuration, affecting 93% of analyzed departments and agencies. It is a technology that encrypts data transmitted between a web server and a browser to ensure secure communications.

Suppose a company has issues with its SSL/TLS setup. In that case, it can expose sensitive data to interception, making its systems vulnerable to man-in-the-middle attacks and compromising user trust and data security.

Nearly every US government department and agency (77%) suffers from poor system hosting practices, and 75% have been affected by data breaches. At the time of writing this report, 24% of domains had recent data breaches, the latest detected four days ago.

In addition, around 59% of analyzed departments and agencies have issues with email security, almost 54% have had corporate credentials stolen, and companies with lower security levels are more vulnerable to email spoofing. This threat generally affects around 45% of analyzed domains.

45% struggle with web application security, and 40% facing software patching vulnerabilities. 24% have high-risk and almost 23% critical vulnerabilities, and 27% have employees reusing compromised passwords.

These weaknesses can open up companies to data breaches, which often have far-reaching consequences, such as damage to a reputation, financial losses, legal penalties, and loss of trust.

Geographical breakdown of vulnerabilities

Most government departments and agencies across all US territories, except the Midwest States, were assigned to the F Score level, averaging 45%.

Despite that, Midwest region states show better security practices but still have 28% F-rated companies. In contrast, US territories have significantly lower cybersecurity, with 55% of companies rated F.

Connecticut, South Dakota, and the District of Columbia have the highest overall score, above 90, and are at low risk for data leaks. Meanwhile, Idaho, Massachusetts, the US Virgin Islands, Indiana, and Maine have the lowest overall score (from 54 to 58), and their data is likely at critical risk of being leaked.

Research Methodology

The BDI research team analyzed 490 US government departments and agencies domains. Detailed data collected from multiple sources, including IOT search engines, IP and Domain name reputation databases, and custom scanners, shows the digital security posture of government departments and agencies.

The report evaluates risk across seven key areas: software patching, web application security, email security, system reputation, SSL Configuration, system hosting, and data breach history. The detailed report’s Methodology is here.