A data breach involving the U.S. Department of Homeland Security (DHS) might have exposed more than 240,000 current and former federal employees’ personally identifiable information (PII).
On 3 January, DHS published a statement about the security incident. In it, Chief Privacy Officer Phillip S. Kaplan reveals that the U.S. Attorney’s Office and the Department of Homeland Security’s Office of the Inspector General (OIG) discovered the breach on 10 May 2017 as part of a criminal investigation. Officials specifically found an unauthorized copy of the Department’s investigative case management system in the possession of a former DHS OIG employee.
At the time of its discovery, that copied DHS OIG system contained the PII of two separate groups. First, it contained the names, Social Security Numbers, dates of birth, and employment information for 247,167 current and former federal government employees whom DHS directly employed in 2014. Second, it stored names, email addresses, physical addresses, Social Security Numbers, phone numbers, and other data for individuals who were involved in a DHS OIG investigation between 2002 and 2014.
Kaplan is confident that external actors weren’t responsible for the breach and that potentially affected individuals’ PII was not the main target of the incident.
The Department of Homeland Security had its reasons for waiting to send notifications to all possible victims on 18 December some seven months after discovery. As it explains in the statement:
The investigation was complex given its close connection to an ongoing criminal investigation. From May through November 2017, DHS conducted a thorough privacy investigation, extensive forensic analysis of the compromised data, an in-depth assessment of the risk to affected individuals, and comprehensive technical evaluations of the data elements exposed. These steps required close collaboration with law enforcement investigating bodies to ensure the investigation was not compromised.
DHS also took the time to introduce additional security measures that limit who can access the types of information exposed in the data breach and that can better monitor suspicious access patterns.
While the Department continues to work to better secure its systems, potential victims of the incident can take advantage of 18 free months of AllClear services that can help protect them against identity theft and credit card fraud. They should also consider placing a security freeze on their credit reports with TransUnion, Experian, Equifax, and Innovis.