More than 240,000 current and former employees of the US Department of Homeland Security have had their personal details exposed in a data breach.
In what it describes somewhat euphemistically as a “privacy incident”, the DHS said the breach could also affect anyone who was part of an investigation by the DHS Office of Inspector General between 2002 and 2014.
The breach was discovered in May 2017, when - as part of an ongoing criminal investigation - the DHS found a former employee had an unauthorised copy of the office’s investigative case management system.
The DHS was at pains to emphasise that the “evidence indicates that… personal information was not the primary target” and that the incident wasn’t a “cyber attack by external actors”.
But it still led to the unauthorised transfer of the personally identifiable information - including name, social security number and position - of 246,167 federal government staff employed by the DHS in 2014.
On top of that, it affects an undefined number of people that were under investigation by the office between 2002 and 2014 - this could be subjects, witnesses and complainants, and is not limited to DHS employees. That information could include name, social security number, address, phone number and date of birth.
Current and former staff were contacted on December 18, 2017, but the department said it was “unable to provide direct notice to the individuals affected by the Investigative Data”.
Clearly anticipating the question of why it took them nine months to alert affected individuals after discovering the breach, the DHS's canned statement said:
The investigation was complex given its close connection to an ongoing criminal investigation. From May through November 2017, DHS conducted a thorough privacy investigation, extensive forensic analysis of the compromised data, an in-depth assessment of the risk to affected individuals, and comprehensive technical evaluations of the data elements exposed. These steps required close collaboration with law enforcement investigating bodies to ensure the investigation was not compromised.
In a bid to reassure people that this wouldn't happen again, the department said it was placing “additional limitations” on who gets back end access to case management systems, as well as implementing additional network controls to identify unusual access patterns.
In addition, it said it would be “performing a 360-degree review of DHS OIG’s development practices related to the case management system”.
It added that anyone potentially affected was being offered 18 months of free credit monitoring and identity protection services. ®