Posted on January 6, 2018 at 10:00 AM
A recent data breach has left the sensitive information vulnerable to over 240,000 DHS employees as well as individuals affiliated with DHS investigations.
Hundreds of thousands United States Department of Homeland Security (DHS) employees’ sensitive information was left exposed following a data breach. Earlier this week, the DHS released a statement which confirmed that the data breach involved the DHS Office of Inspector General’s Case Management System (CMS). The statement also confirmed that affected individuals were notified of the breach.
The breach impacted 247,167 2014 DHS employees, however, affected individuals also included those involved with DHS OIG investigations between the period of 2002 to 2014, such as complainants, subjects, and witnesses. According to the DHS, exposed information included names, grades, social security numbers, duty stations, dates of birth, and position in the DHS.
The agency noted that no information regarding affected individuals’ family members, associates, spouses, or children, were exposed.
However, when it came to people formerly linked with DHS OIG investigations, the exposed information included names, personal information related to DHS representatives during interrogations, social security numbers, addresses, passport and immigration information, phone numbers, dates of birth, and email addresses.
The agency stated that the data breach was not because of a malicious cyber attack and that the exposed information was not the breach’s main target.
During May 2017, a former DHS OIG employee was caught in possession of an unauthorized copy of certain files. Since the discovery, the DHS launched a criminal investigation into this case.
In their statement, the DHS noted that the investigation was complex, especially considering that it was closely linked to another criminal investigation which was ongoing at the time. Between the period of May and November 2017, the DHS launched an extensive privacy investigation which included a comprehensive technical evaluation of the exposed information, a forensic analysis of the breach, as well as a comprehensive assessment which analyzed the risk the exposed information would pose to impacted individuals.
The DHS noted that the investigation required a collaboration with several law enforcement agencies to ensure that no further case information was compromised.
The DHS declined to make the name available to the ex-employee as well as other details regarding the investigation, which is still ongoing.
Affected employees received a notification of the breach on December 18, 2017. However, the DHS stated that they were unable to notify other affected individuals of the data breach, due to certain tech limitations. However, the DHS encouraged all individuals who were part of DHS OIG investigations to contact the department for more information.
All impacted individuals will receive a free credit monitoring and identity protection service for a period of 18 months. In addition, affected individuals have been warned to be cautious of phone calls from alleged DHS representatives asking them for more personal information.
Chief Privacy Officer of the DHS, Phillip Kaplan stated that the DHS is committed to serving the agency’s employees and considers their private information and the security thereof a top priority.
Following the data breach, the DHS confirmed that they will be adding several security measures to their internal system in an attempt to limit access to sensitive information, as well as to detect any suspicious activity when it comes to potentially compromised data.
Kaplan concluded by apologizing for the data breach and by noting that the DHS is committed to ensuring that a similar breach will not happen in the future.