Homeland Security confirms data breach affecting 240,000 DHS employees

On Wednesday, January 3, the Department of Homeland Security (DHS) disclosed details of a data breach that compromised the personally identifiable information (PII) of 240,000 current and retired DHS employees. The DHS did not provide much information about the breach, but confirmed that the data was in the possession of a former DHS Office of Inspector General (OIG) employee.

The DHS discovered the unauthorized copy of its investigative case management system last May while conducting a joint, ongoing criminal investigation with the US Attorney’s office. To date, the data has not been subjected to fraudulent or malicious activity. The DHS also asserted that the breach was not a cyber crime involving malicious actors.

Seven months passed before the DHS informed any affected person of the breach, which it said was because the data breach investigation was complex due to its close connection to an ongoing criminal investigation. The DHS collaborated closely with law enforcement from May through November 2017 to conduct the privacy investigation, which included:

  • Forensic analysis of compromised data
  • An in-depth assessment of risk to affected individuals
  • Detailed technical evaluations of exposed data elements

DHS data breach affected two groups of people

According to the official news release, individuals with compromised data are categorized into two groups:

  • Approximately 247,167 current and former federal employees staffed by the DHS in 2014, titled “DHS Employee Data”
  • Subjects, witnesses, and complainants involved with DHS OIG investigations from 2002–2014, titled “Investigative Data”

Each affected DHS employee received a breach notification letter informing them that their PII was exposed. This PII included names, Social Security numbers, dates of birth, positions, grades, and duty stations.

Within the Investigative Data group, the PII for each person varies based on the documentation and evidence available. In addition to the PII collected from DHS employees, information could include alien registration numbers, email addresses, phone numbers, addresses, and personal information gathered through interviews with DHS OIG investigative agents.

Those affected have been offered free credit monitoring and identity theft protection services for 18 months. The DHS has also implemented extra security to safeguard the DHS OIG network, and further precautions will be introduced to limit data access and identify anomalies.

Learn more about federal cybersecurity and privacy laws

The US government cybersecurity landscape is complex, with no singular federal law regulating privacy and information security throughout the nation. Instead, the US is regulated through a patchwork of industry-specific federal laws and state legislation, leaving gaps in states that haven’t taken an adequate cybersecurity stance.

If you’re interested in learning more about the federal processes with regards to cybersecurity, visit IT Governance’s Federal Cybersecurity and Privacy Laws Directory. It offers insights into the applicability, penalties, and compliance requirements related to key federal laws that affect the cybersecurity and privacy workforce.