Incident Of The Week: 247K DHS Workers Exposed In Data Breach



Dan Gunderman
01/05/2018

In the dynamic world of cyber security, breaches are both tightly guarded and, sadly, imminent.

Combing through data, market research and threat-defense efforts taken by enterprises can be a daunting task. Here at Cyber Security Hub, we both track the latest industry news and make it more navigable for the IT professional. CSHub coverage extends outwards – as it helps enterprises batten down their proverbial hatches.

In this edition of “Incident of the Week,” we examine a “privacy” event that occurred inside the Department of Homeland Security (DHS). According to a statement released by the DHS on Wednesday, the department is alerting current and former DHS employees – over 240,000 of them – about the discovery of an unauthorized copy of a database utilized by the DHS Office of the Inspector General (OIG).

The statement begins by clarifying that the privacy incident did not stem from a cyber-attack carried out by external actors. It also says that personally identifiable information (PII) was “not the primary target” in the unauthorized data transfer.

The DHS homepage then includes, word for word, the message delivered to current and former DHS employees who worked for the department in 2014.

See Related: Incident Of The Week: Finance Co. Says 1.1M Buyers Hit In Data Breach

“You may have been impacted by this privacy incident if you were employed by DHS in 2014, or if you were associated with a DHS OIG investigation from 2002 through 2014,” it reads.

It continues, suggesting that an ongoing criminal investigation carried out by the DHS OIG and the U.S. Attorney’s Office uncovered the suspicious copy of its investigative case management system. It was held by a former DHS OIG employee. The message does not say how the exfiltration was carried out or if the former employee is the target of the investigation.

Further, PII contained in the system may’ve been released, and pertains to two sets of people: 247,167 current and former DHS employees (circa 2014) and another group of DHS-associated individuals (subjects, witnesses and complainants) who were involved with DHS OIG investigations from 2002-2014.

To remediate the situation, the DHS is offering 18 months of free credit monitoring and identity protection services. The aforementioned message was delivered on Dec. 18, 2017.

The department cites “technological limitations” in its reasoning for not being able to directly notify the other individuals potentially affected. It asks those associated with DHS OIG investigations within that timeframe to contact AllClear ID for credit monitoring and identity protection services.

The DHS says that it “takes very seriously the obligation to serve the Department’s employees and is committed to protecting the information in which they are entrusted.”

It also suggests it will make every effort to avoid a repeat event. The DHS says it has implemented additional security precautions to limit access to the sensitive information. It will also “better identify unusual access patterns.”

“We sincerely apologize for any inconvenience this may have caused,” the statement reads.

See Related: Incident Of The Week: Unsecure Cloud Could Have Compromised 123M Americans

In its report on the incident, NextGov.com pointed out that security experts have often said that credit monitoring – which the DHS is offering potentially affected employees – is less effective at preventing PII exploitation than other routes, like freezing credit.

The same story also states that USA Today outlined the breach in November, with leaked documents, but the DHS did not confirm it at that time.

This latest breach is worrisome to enterprises of all sizes. Even if the organization’s perimeter is strictly guarded, cyber incidents can actually propagate right beneath the CISO’s nose – that is to say the insider threat abounds. Though the firewall may be strong, determined individuals with knowledge of the enterprise – its lay of the land – can ultimately crack the security code.

Give It A Look: Incident Of The Week: 'Triton' Malware Takes Down Industrial Plant

Photo Credit: Shutterstock.com