Information on nearly a quarter million Department of Homeland Security (DHS) employees was exposed as part of an "unauthorized transfer of data", the DHS announced.
The privacy incident involved a database used by the DHS Office of the Inspector General (OIG) which was stored in the DHS OIG Case Management System.
The incident impacted approximately 247,167 current and former federal employees that were employed by DHS in 2014. The exposed Personally identifiable information (PII) of these individuals includes names, Social Security numbers, birth dates, positions, grades, and duty stations.
Individuals (both DHS employees and non-DHS employees) associated with DHS OIG investigations from 2002 through 2014 (including subjects, witnesses, and complainants) were also affected by the incident, the DHS said.
The PII associated with these individuals varies depending on the documentation and evidence collected for a given case and could include names, social security numbers, alien registration numbers, dates of birth, email addresses, phone numbers, addresses, and personal information provided in interviews with DHS OIG investigative agents.
The data breach wasn’t the result of an external attack, the DHS claims. The leaked data was found in an unauthorized copy of the DHS OIG investigative case management system that was in the possession of a former DHS OIG employee.
The data breach was discovered on May 10, 2017, as part of an ongoing criminal investigation conducted by DHS OIG and the U.S. Attorney’s Office.
“The privacy incident did not stem from a cyber-attack by external actors, and the evidence indicates that affected individual’s personal information was not the primary target of the unauthorized exfiltration,” DHS explained.
The Department said that notification letters were sent to select DHS employees to inform them that they might have been impacted. DHS also says that it conducted a thorough privacy investigation, a forensic analysis of the compromised data, and assessed the risk to affected individuals before making the incident public.
Following the incident, the DHS says it is implementing additional security precautions to limit access to the type of information that was released in this incident and to better identify unusual access patterns.
“We will continue to review our systems and practices in order to better secure data. DHS OIG has also implemented a number of security precautions to further secure the DHS OIG network,” DHS notes.
Additional information for the affected individuals is available in an announcement and FAQ published on Jan 3.
Related: DHS Orders Government Agencies to Stop Using Kaspersky Products
Related: Hack DHS Act Establishes Bug Bounty Program for DHS