Content, Americas, Governance, Risk and Compliance, Breach, Channel markets, Security Staff Acquisition & Development

DHS Inside Job Put 250,000 Federal Employees in Data Breach Danger

Personally identifiable information (PII) of nearly 250,000 current and former employees at the U.S. Department of Homeland Security was pilfered last May in a brazen inside job, the agency said. The caper has some irony to it with security watch dogs turning into robbers right under the agency’s nose.

An “unauthorized copy of the agency’s investigative case management system” was discovered on the home computer of an ex-DHS Office of Inspector General (OIG) employee during a criminal investigation, Phillip Kaplan, DHS chief privacy officer, notified staffers on Wednesday in a website post.

Although word of the breach was reported by USA Today and the New York Times last November, the robbery remained officially unconfirmed by the agency, which said the investigation had tightened its lips. The crooks, said DHS officials, had an ulterior motive apart from heisting the personal credentials of 247,167 people employed by the agency in 2014. Subjects, witnesses and plaintiffs tied to the DHS OIG investigation from 2002 - 2014 are also involved, according to the DHS message.

Apparently, it wasn’t a cyber attack that pried open the agency's data doors but instead the culprit was old fashioned skulduggery: The three ex-DHS OIG thieves were motivated by profit. They intended to to overwrite some of the software code in the case management system and sell a knock off version to other federal IG agencies, the NYT reported.

The personal information of the federal employees included the motherlode of data -- names, social security numbers, dates of birth, positions, grades, and duty stations. Compromised personal information from individuals associated with DHS OIG investigations from 2002 through 2014 could include names, Social security numbers, alien registration numbers, dates of birth, email addresses, phone numbers, addresses, and personal information provided in interviews with DHS OIG investigative agents, Kaplan wrote.

“The investigation was complex given its close connection to an ongoing criminal investigation,” he said. “From May through November 2017, DHS conducted a thorough privacy investigation, extensive forensic analysis of the compromised data, an in-depth assessment of the risk to affected individuals, and comprehensive technical evaluations of the data elements exposed. These steps required close collaboration with law enforcement investigating bodies to ensure the investigation was not compromised.”

While DHS officials didn’t reveal the names of the former staffer caught red-handed, the agency said it will limit back-end access to its case management system and more stringently scan for unusual behavior by approved users. Affected employees can sign on with AllClear ID to protect their identity for 18 months free of charge.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.