The personal information of a few thousand Department of Homeland Security employees and individuals involved in Inspector General investigations was found to have been exposed in May 2017, according to a recent DHS announcement,
On Jan. 3, 2018, DHS sent letters to some 247,167 current and former agency employees, notifying them that their personal information had been exposed in an unauthorized data transfer conducted by a former employee.
“On May 10, 2017, as part of an ongoing criminal investigation being conducted by DHS OIG and the U.S. Attorney’s Office, DHS OIG discovered an unauthorized copy of its investigative case management system in the possession of a former DHS OIG employee,” Phillip S. Kaplan, DHS’s chief privacy officer, wrote in the letter to effected persons.
The letter said that the incident included personally identifiable information from persons employed by DHS during 2014 and from subjects, witnesses and complainants involved in DHS OIG investigations from 2002 through 2014.
Due to technical limitations, DHS was unable to provide direct notice to individuals involved in the IG investigations, and is recommending that people who were associated with such investigations call AllClear ID at (855) 260-2767 for more information.
That personally identifiable information included names, Social Security numbers, dates of birth, positions, grades and duty stations of employees, as well as names, Social Security numbers, alien registration numbers, dates of birth, email addresses, phone numbers and addresses of those involved in IG cases.
According to DHS, the incident did not stem from a cyberattack and the primary target was likely not the personal data. DHS did not clarify what the primary target of the data transfer was.
The personal information was discovered as part of an ongoing criminal investigation, according to the letter, which meant that the agency needed to take May-November 2017 to conduct a privacy investigation, extensive forensic analysis of the compromised data, an in-depth assessment of the risk to affected individuals and comprehensive technical evaluations of the data elements exposed before notifying those impacted.
DHS plans to offer all individuals potentially affected by this privacy incident 18 months of free credit monitoring and identity protection services.
“The Department of Homeland Security takes very seriously the obligation to serve the Department’s employees and is committed to protecting the information in which they are entrusted,” Kaplan wrote.
“Please be assured that we will make every effort to ensure this does not happen again. DHS is implementing additional security precautions to limit which individuals have access to this information and will better identify unusual access patterns. We will continue to review our systems and practices in order to better secure data. DHS OIG has also implemented a number of security precautions to further secure the DHS OIG network.”
Jessie Bur covers federal IT and management.