Over 240,000 current and former Department of Homeland Security employees had their personal details compromised in a data breach discovered in May, 2017, while conducting an ongoing criminal investigation, in what the agency is calling a “privacy incident.” DHS listed a workforce of 229,000 in 2017, so we assume the breach affected most or all current employees.
While conducting an internal criminal probe, DHS investigators found that a former employee in the agency’s Office of the Inspector General (OIG) possessed an unauthorized copy of the agency’s investigative case management system – which included employee names, social security numbers, and position of 246,167 federal government staff employed by DHS in 2014.
Friends and family of DHS employees involved in OIG investigations were also compromised.
The breach of the DHS OIG Case Files included individuals associated with DHS OIG investigations. Family members and close associates were impacted by this privacy incident only if they were involved in a DHS OIG investigation.
Moreover, the database also contained information on an undisclosed number of criminal suspects, witnesses and complaints by the office between 2002 and 2014 – also exposing names, social security numbers, addresses, phone numbers and dates of birth.
This privacy incident involved the release of personally identifiable information (PII) contained in the DHS OIG case management system and affects two groups of individuals. The first group consists of approximately 247,167 current and former federal employees that were employed by DHS in 2014 (the DHS Employee Data). The second group is comprised of individuals (i.e., subjects, witnesses, and complainants) associated with DHS OIG investigations from 2002 through 2014 (the Investigative Data).
Current and former DHS staff were notified of the breach on December 18, 2017 – however the department said it was “unable to provide direct notice to the individuals affected by the Investigative Data.” Employees affected by the incident are being offered 18 months of free credit monitoring and identity protection services.
The notice reads:
This message is to inform you of a privacy incident involving a database used by the Department of Homeland Securitys (DHS) Office of the Inspector General (OIG). You may have been impacted by this privacy incident if you were employed by DHS in 2014, or if you were associated with a DHS OIG investigation from 2002 through 2014.
Homeland Security notes that the breach did not stem from a cyber-attack by external actors, and there is no evidence that personal information was the primary target of the unauthorized exfiltration.
The agency also said in a statement that the delay between the May, 2017 discovery of the breach to the December, 2017 notification of current and former employees was due to the complexity of the case – and because they could not compromise an ongoing criminal investigation connected to the breach.
The investigation was complex given its close connection to an ongoing criminal investigation. From May through November 2017, DHS conducted a thorough privacy investigation, extensive forensic analysis of the compromised data, an in-depth assessment of the risk to affected individuals, and comprehensive technical evaluations of the data elements exposed. These steps required close collaboration with law enforcement investigating bodies to ensure the investigation was not compromised.
The department is recommending that affected employees consult the Federal Trade Commission’s identity theft website, consider freezing their credit, reaching out to all three major credit bureaus, and to watch out for phone calls from individuals claiming to be from DHS who ask for personal information.
DHS is implementing a number of security measures going forward, including placing additional limitations on which individuals have access to the agency’s case management system, establishing additional network controls to identify unusual access patterns, and performing a “360-degree review” of OIG practices related to the case management system.