Governance & Risk Management , Incident & Breach Response , Managed Detection & Response (MDR)
DHS Says 246,000 Employees' Personal Details Were Exposed
13 Years of Witness Statements to DHS Office of Inspector General Also ExposedThe U.S. Department of Homeland Security is warning that nearly 250,000 federal employees' personal details were exposed in a 2014 breach of the DHS Office of Inspector General's case management system. Also exposed was information, including witness testimony, gathered from DHS employees and nonemployees in the course of investigations.
See Also: Forrester Top 35 Global Breaches Report: Balance Defense with Defensibility
"You may have been impacted by this privacy incident if you were employed by DHS in 2014, or if you were associated with a DHS OIG investigation from 2002 through 2014," reads a breach notification issued Wednesday by Philip S. Kaplan, DHS's chief privacy officer.
"On May 10, 2017, as part of an ongoing criminal investigation being conducted by DHS OIG and the U.S. Attorney's Office, DHS OIG discovered an unauthorized copy of its investigative case management system in the possession of a former DHS OIG employee," Kaplan says. DHS immediately launched a breach investigation.
"From May through November 2017, DHS conducted a thorough privacy investigation, extensive forensic analysis of the compromised data, an in-depth assessment of the risk to affected individuals, and comprehensive technical evaluations of the data elements exposed," Kaplan's breach notification says. "These steps required close collaboration with law enforcement investigating bodies to ensure the investigation was not compromised."
News of the breach was first reported by USA Today in November 2017, based on a report it obtained that DHS Inspector General John Roth sent to key members of Congress. The report said that the files had been found on the home server of a DHS employee.
At the time, the DHS OIG told USA Today: "The responsible individuals are no longer on the OIG payroll."
Exposed PII
As a result of the investigation, DHS found that two groups had their data exposed:
- DHS employees file: PII for about 246,000 federal government employees who were employed directly by DHS during 2014 was exposed by a leak of a complete DHS employee file. "The PII for these individuals includes names, Social Security numbers, dates of birth, positions, grades and duty stations," DHS says. "This list of federal government employees was used by DHS OIG Office of Investigations to conduct identity confirmation during the complaint and investigative process."
- OIG case files: PII for an unspecified number of individuals associated with DHS OIG investigations from 2002 through 2014 - including subjects, witnesses and complainants - was exposed. This includes both DHS employees as well as nonemployees. "The PII contained in this database varies for each individual depending on the documentation and evidence collected for a given case," DHS says. "Information contained in this database could include names, Social Security numbers, alien registration numbers, dates of birth, email addresses, phone numbers, addresses, and personal information provided in interviews with DHS OIG investigative agents."
Mission: DHS Office of Inspector General
DHS and its Office of Inspector General were established by Congress in 2002. "The OIG conducts and supervises independent audits, investigations and inspections of the programs and operations of DHS, and recommends ways for DHS to carry out its responsibilities in the most effective, efficient and economical manner possible," the OIG website states. "We also seek to deter, identify and address fraud, abuse, mismanagement and waste of taxpayer funds invested in homeland security."
OIG says its oversight is tailored in particular to DHS's core missions, which include border control, combatting terrorism, enforcing immigration laws, cybersecurity and disaster response.
In 2016 alone, OIG says it received 20,683 hotline or whistle-blower complaints from DHS employees, of which it closed 836 investigations, referring 224 of them to prosecutors, resulting in 114 arrests and 102 convictions.
DHS didn't immediately respond to a request for comment about whether the exposed information might pose a risk to witnesses or complainants who were working with the OIG, and if so, what steps DHS was taking to safeguard these individuals.
Notified: Only DHS Employees
All 2014 DHS employees have been notified about the breach and offered 18 months of prepaid identity theft monitoring services, DHS says.
"The 2014 DHS Employee File is a file that only contained information about individuals that were employed by DHS in 2014," it says. "This file did not include any information about employees' spouses, children, family members and/or close associates."
DHS says all 2014 employees have been notified by mail, adding that it will never phone employees about the breach.
"Notification letters were sent to all current and former employees who were potentially affected by the DHS Employee Data on December 18, 2017," the notification says. "Due to technological limitations, DHS is unable to provide direct notice to the individuals affected by the investigative data."
Those case files, however, did include details of individuals' family members and associates when they were part of an investigation, DHS says. But the agency is providing no way for nonemployees whose personal details may have leaked to verify whether their information or witness testimony may have been exposed.
Instead, the breach notification states: "You may be impacted by this privacy incident if you were associated with a DHS OIG investigation from 2002 through 2014 in any capacity including as a subject, complainant, or witness. If you believe you were associated with a DHS OIG investigation from 2002 through 2014, please contact AllClear ID ... for more information on credit monitoring and identity protection services."
Security Upgrades
As a result of the breach, OIG says it has implemented stronger security controls, including:
- Restricting back-end IT access to the case management system;
- Implementing additional network controls designed to identify unusual access patterns by authorized users; and
- Reviewing all software development practices pertaining to the OIG's case management system.
DHS did not immediately respond to a request for comment about what additional guarantees or assurances it might seek to offer whistle-blowers and witnesses, given that it lost control of 13 years of potentially sensitive testimony.