The case management system used by the DHS Office of the Inspector General was breached, but the organization said it wasn't the result of a cyberattack.
Building a slide deck, pitch, or presentation? Here are the big takeaways:
- A breach in the case management system used by the Department of Homeland Security's Office of the Inspector General (OIG) led to the leak of personal data from roughly 250,000 employees.
- The breach also affects people who may have been involved in a DHS OIG investigation from 2002-2014, even if they didn't work there.
The Department of Homeland Security's (DHS) Office of the Inspector General (OIG) recently experienced a breach in its case management system, exposing the personally identifiable information (PII) of numerous employees and other people involved in certain investigations.
The breach was detailed in a Wednesday press release from the DHS, noting that PII data was exposed for either 246,167 or 247,167 (both numbers are used in the release) federal government employees who were DHS employees in 2014. According to the release, this list was used to confirm the identity of certain individuals during the complaint and investigative process.
Unfortunately, this means that a lot of highly sensitive data was put out into the world. For these current and former employees, information such as their names, Social Security numbers, positions at DHS, birthdates, and duty stations were leaked, the release said.
SEE: Information security incident reporting policy (Tech Pro Research)
In addition to employees, the breach also impacted people who may have been associated in some way with DHS OIG investigations that occured between 2002 and 2014, the release said. Examples would be people who were considered subjects, witnesses, or complainants in a case.
The impact on these individuals will vary depending on the case they worked on. However, the release noted, affected information could include: "names, Social Security numbers, alien registration numbers, dates of birth, email addresses, phone numbers, addresses, and personal information provided in interviews with DHS OIG investigative agents."
The breach was discovered after the organization determined that a former DHS OIG employee had an unauthorized copy of its investigative case management system in their possession. As such, the release said, DHS doesn't believe that the breach was the result of a cyberattack from an external actor. It also mentioned that the PII data wasn't the primary target of the exfiltration.
DHS contacted the affected employees on December 18, it has no way to contact all of the other people involved in the cases, according to the release. Additionally, DHS is offering 18 months of free credit monitoring and identity protection services, through AllClear ID, to all who were affected.
In the release, DHS also mentioned other steps that affected individuals can take to protect their PII data. The organization also noted that it is working to bolster its own security practices and better prevent a future attack of this magnitude.
- Defending against cyberwar: How the cybersecurity elite are working to prevent a digital apocalypse (free PDF) (TechRepublic)
- 240,000 Homeland Security employees, case witnesses affected by data breach (ZDNet)
- Cyberwar: The smart person's guide (TechRepublic)
- DHS, FBI describe North Korea's use of FALLCHILL malware (ZDNet)
- DHS, FBI warn of cyberattacks targeting energy infrastructure, government entities (TechRepublic)