US government websites are facing a rising number of data breaches. The Business Digital Index, created by cybersecurity firm CyberNews, evaluates agencies based on their cybersecurity practices. The index uses a grading scale from A to F.

CyberNews analyzed 490 government internet domains across seven areas, including software patching, web and email security, system reputation, SSL/TLS configuration, hosting, and breach history. Data was collected from search engines, website reputation databases, and custom scanners.

The results are troubling. Over half (53.7 percent) of agencies received a “D” grade, with 38.8 percent scoring an “F,” signaling a high risk of breaches. Only 22 percent earned an “A,” indicating a very low risk.

Another 10 percent earned a “B,” and nearly 15 percent received a “C,” representing low to moderate risk. The average security score across all agencies was 75 out of 100, suggesting that data compromise remains a serious concern.

“Poor cybersecurity practices create vulnerabilities that attackers can exploit, potentially disrupting critical services,” said Vincentas Baubonis, head of security research at CyberNews.

The report also found that 75 percent of government agencies have been breached. Of those, 54 percent had corporate credentials stolen, and 27 percent still reuse compromised passwords. Alarmingly, 25 percent of breaches occurred within just four days of the report’s publication.

Several key security issues were identified. A staggering 93 percent of agencies have improperly configured SSL/TLS, which protects data transmitted between servers and browsers. This misconfiguration leaves sensitive information vulnerable to interception.

“Cyberattacks are an ongoing threat to organizations of all sizes, and each has a responsibility to protect its data,” Baubonis added.

Other concerns include system hosting vulnerabilities (77 percent), email security issues (59 percent), and web application security risks (45 percent). Email spoofing impacts 45 percent of agencies, and 40 percent struggle with software patching, including 24 percent with high-risk vulnerabilities and 23 percent with critical flaws.

Geographically, agencies outside the Midwest are more affected, with 45 percent of mainland states and 55 percent of territories scoring an “F.” In contrast, just 28 percent of Midwest agencies earned an “F.” DC, South Dakota, and Connecticut scored an “A,” indicating low risk, while Massachusetts, the US Virgin Islands, Idaho, Maine, and Indiana scored between 54 percent and 58 percent — or medium risk.