Phishing cost in government: the lowest sector figure that understates the real cost

Government sector breach cost sits at $2.55M average per IBM 2025, the lowest of any major sector tracked in the report. The headline figure is technically correct but materially understates the true cost of a government phishing breach for two structural reasons rooted in the IBM cost-modelling methodology.

First, per-record liability is structurally lower because government data carries different statutory liability than PHI, PCI, or financial-services PII. Government breach notification timelines exist (under both FISMA and state-level rules) but the per-record fine schedules that drive cost in healthcare and finance do not have direct parallels. The IBM methodology captures the per-record cost it can quantify and produces a lower number as a result.

Second, customer-churn cost is structurally near-zero in government because residents and constituents cannot easily switch government providers. A breach at a state Department of Motor Vehicles does not cause residents to migrate to another DMV. The customer-churn line that contributes 8 to 12 percent of cost in healthcare, finance, retail, and tech breaches is approximately zero in government, which pulls the IBM figure downward without reflecting any operational reality about whether the breach was less severe.

The cost categories that the IBM methodology does not fully capture in government include contractor-ecosystem cleanup (the cleanup spans the agency plus all contractor entities with affected access), FOIA-driven public disclosure (any breach details that surface through Freedom of Information requests become part of the public-disclosure cost), and political accountability time (legislative-hearing preparation, public-statement drafting, executive-branch coordination). These categories collectively add an estimated $1M to $5M to the true cost of a major government phishing breach but do not appear cleanly in the IBM line items.[IBM 2025 government cohort + CSIS State-and-Local Government cyber tracker 2024-2025]

On 31 December 2022, the Housing Authority of the City of Los Angeles (HACLA) detected unauthorised access to its network. Investigation determined that the LockBit ransomware affiliate had deployed ransomware via phishing-initiated initial access in the preceding weeks. HACLA subsequently disclosed that data on approximately 25,000 individuals was affected, including names, addresses, Social Security numbers, and information related to housing-assistance programs. The full notification to affected individuals was completed in early 2023.

The HACLA case is a useful reference because it is approximately the median size for a publicly-disclosed state-or-local-government phishing breach in 2022-2024. Larger cases (the Oakland 2023 ransomware incident, the Dallas 2023 incident, the Atlanta 2018 SamSam ransomware case) sit one or two orders of magnitude above this in impact; smaller cases (the constant background of small-municipality and county-government incidents tracked by CSIS) sit one or two orders of magnitude below. The HACLA pattern of phishing-initial-access into LockBit-affiliate ransomware is now the canonical mid-size state-or-local pattern.

The full cost of the HACLA incident has not been disclosed publicly but is reliably estimated in the low millions of dollars, comprising direct IR engagement, notification to 25,000 individuals, credit-monitoring services, system rebuild, and the operational drag of running a housing-assistance program through a multi-week recovery window. The cost does not include the political accountability time that City of Los Angeles staff spent on public communications and council briefings, which is real but not captured in the IT-cost line.[HACLA public disclosure Q1 2023 + LockBit attribution per multiple incident-response vendors]

The government sector phishing-vector mix is unusual in that vishing (voice phishing, see /by-attack/vishing) is a heavier share of attempted breaches than in any other sector. Three structural factors drive this. First, government workforces are larger than average, with hundreds of thousands of employees in major federal agencies and tens of thousands in major state agencies, which makes helpdesk-impersonation attacks attractive at scale. Second, government IT helpdesks frequently operate runbooks that predate the modern threat model and have not been updated to require video verification or in-person confirmation for MFA reset. Third, the volume of contractor-and-vendor staff creates a large identity-attack surface where the helpdesk does not always have direct visibility into the legitimate user.

The published government-sector vishing record includes multiple cases through 2023-2024 where the attacker simply called the IT helpdesk impersonating an employee and obtained credential reset, then pivoted to broader access. The pattern parallels the MGM Resorts 2023 case (see /by-attack/vishing) but lands in government environments with frequently weaker downstream controls because the FIDO2 deployment lag in government is generally longer than in commercial enterprise. CISA has issued multiple advisories through 2023-2024 specifically addressing helpdesk-impersonation patterns against federal agencies and state-and-local government.[CISA helpdesk-impersonation advisories 2023-2024 + CSIS state-and-local government tracker]

The contractor-ecosystem cleanup and FISMA-reporting lines are distinct to government and do not have direct parallels in private-sector breach modelling. The customer-churn line that contributes 8 to 12 percent in private-sector breaches is approximately zero here.[IBM 2025 government cohort + CSIS state-and-local breach analysis 2023-2024]

For federal agencies and their contractors, the regulatory layer is dominated by the Federal Information Security Modernization Act (FISMA), implemented through OMB Circular A-130 and operationalised through NIST SP 800-series controls (primarily SP 800-53 for federal systems and SP 800-171 for contractor handling of Controlled Unclassified Information). Compliance is assessed annually through FISMA reports submitted to OMB and Congress; agencies that fall behind compliance face direct oversight pressure and budget consequences.

The FedRAMP layer applies to cloud services provided to federal agencies. A phishing-initiated compromise of a FedRAMP-authorised cloud provider can trigger parallel notification and remediation obligations across every federal-agency customer of that provider. The 2023 Microsoft Storm-0558 incident (see /by-attack/spear-phishing) cascaded across multiple federal-agency Exchange Online tenants and demonstrated the cross-agency blast-radius of a single major cloud-provider compromise. The post-incident remediation drove the Microsoft Secure Future Initiative and a substantial tightening of CISA + FBI joint advisory practice on cloud-provider compromise.

For state-and-local government, the regulatory landscape is more fragmented. Multi-State Information Sharing and Analysis Center (MS-ISAC) coordinates incident response across state-and-local entities; CISA provides technical advisory support; individual states have varying breach-notification rules that mirror but do not exactly match the federal regime. The fragmentation creates a higher procedural overhead during incident response than in federal-only or large-commercial contexts, which contributes to the higher proportion of incident-response cost in the state-and-local breach figures.[FISMA + OMB A-130 + NIST SP 800-53/171 + MS-ISAC operational reports 2024-2025]

• All industries
• Phishing cost in healthcare
• Phishing cost in financial services
• Vishing cost (helpdesk-impersonation)
• AitM phishing cost
• Phishing cost for enterprise
• Regulatory annex (FISMA, FedRAMP)
• fedrampcost.com
• zerotrustcost.com
• databreachcost.com