There is a firm by the name of Symantec. It is one of the best firms that monitor cyber attacks. A few years ago, they put out a report referring to an international survey of 30 or 40 countries. The report had apparently shown that 25% of information used for identity theft and fraud comes from government sources.
They didn't actually point to the federal government, but I suspect that this is probably the reality. Furthermore, this is not the work of hackers. Rather, it's an insider problem—people walking out the door with the information and abusing it.
In response to your question, I would suggest that the best way to tackle this problem would be to strengthen the security requirements around personal information holdings.
I receive incidence reports. An ADM will call to inform us that a laptop containing encrypted personal information has been stolen from an individual's house. That's not good enough—that's not the standard we want to have.