CIA Director John Brennan’s personal @AOL.com email account was hacked into by a high school student and his personal information was exposed on WikiLeaks on October 21, 2015. They published his Social Security numbers, passport numbers, credit card and addresses of his family and associates. In addition, they released emails and documents generated before Brennan’s time in the Obama administration and while it did not contain classified government information, this has triggered great concern within the intelligence community and U.S. Government.

The recent Ashley Madison hack doesn’t just have divorce attorneys and spouses scrambling. Federal, municipal and plenty of private sector employers are all on high alert. And they should be.

Data breaches are becoming one of government’s highest IT concerns. It is no longer a question of IF, but WHEN a data breach will occur. According to an April 2014 GAO report titled “Information Security - Agencies Need to Improve Cyber Incident Response Practices”, security incidents at Federal Agencies that have involved the probable exposure of citizens’ personal information have increased from 10,400 to 25,500 plus, between 2009 and 2013. This increase has Federal Agencies turning to the requirements set forth in the Privacy Act of 1974.

The IRS has announced that over 104,000 taxpayers have had their personal data stolen, including names, dates of birth, and social security numbers, as the result of a data breach last month. The repercussions of this data breach have been severe for those affected, as hackers have already been able to use the stolen past tax returns to submit fraudulent tax returns under their stolen identity and direct the tax refunds to prepaid debit cards. As a result of government data breaches, the IRS has announced that over 200,000 tax returns were received from “questionable” email domains, and it is estimated that 100,000 were able to clear the IRS’ authentication system.

Already, 2015 has seen a substantial increase in cyber-attacks by cyber criminals to steal large volumes of data and credentials. These attacks include theft of users’ credentials—such as passwords, usernames, e-mail addresses—and other forms of Personally Identifiable Information (PII) used by customers, employees, and third parties. User credentials can be stolen in many ways and the cyber-attack taxonomy can be quite confusing. Among them can include:

We often hear from the public sector that web-based attacks that occur at companies like Adobe, Forbes, Sony, or Anthem are not their problem. Public Sector organizations secure their own networks with the best hardware, detection software, and penetration testing, and have in place stringent rules about passwords and top-notch use policies that ensure they are safe. In every case, the security chain is only as strong as its weakest link.