The Department of Homeland Security announced yesterday that many employees at the agency may have been impacted by a “privacy incident” involving a former agency employee.
DHS said in a statement about the breach that it was not due to a cyberattack, but rather stemmed from the agency’s Office of Inspector General discovering an unauthorized copy of its investigative case management system in the possession of a former DHS OIG employee.
Because it was not a cyberattack, DHS said that evidence indicates that affected individuals’ personal information was not the primary target of the unauthorized transfer of data.
DHS discovered the breach on May 10, 2017, however, the agency sent letters to affected employees on December 18. DHS said the investigation was complex given its close connection to an ongoing criminal investigation which is why there was so much time in between discovering the incident and notifying individuals who were potentially affected.
“From May through November 2017, DHS conducted a thorough privacy investigation, extensive forensic analysis of the compromised data, an in-depth assessment of the risk to affected individuals, and comprehensive technical evaluations of the data elements exposed. These steps required close collaboration with law enforcement investigating bodies to ensure the investigation was not compromised,” according to the agency statement.
Two groups were impacted by the breach. The first group consists of 247,167 current and former federal employees that were employed by DHS in 2014. The second group is comprised of individuals (i.e., subjects, witnesses, and complainants and, therefore, presumably private citizens) associated with DHS OIG investigations from 2002 through 2014.
The data that were exposed fell into two categories. The first was DHS employee data including names, Social Security numbers, dates of birth, positions, grades, and duty stations. The exposed data did not include any information about DHS employees’ spouses or family members.
The second category was investigative data impacting individuals associated with DHS OIG investigations from 2002 through 2014. DHS said that personal data from this database will vary depending on on the documentation and evidence collected for a given case, but could include names, Social Security numbers, alien registration numbers, dates of birth, email addresses, phone numbers, addresses, and personal information provided in interviews with DHS OIG investigative agents. Family members’ personal information was impacted only if the individuals were involved in a DHS OIG investigation.
DHS is offering 18 months of free credit monitoring and identity protection services to those who were impacted. The agency also said that because of technological limitations, it is unable to provide direct notice to the individuals contained within the investigative data who might have been impacted and said they need to contact AllClear ID directly at (855) 260-2767 for information on credit monitoring and identity protections services if they think they may have been affected.
The statement from DHS contains further information about the identity monitoring services and what actions impacted individuals may need to take.
