More than 250,000 US US Department of Homeland Security (DHS) employees along with individuals involved in on-going DHS criminal investigations, including witnesses, had their personally identifiable information (PII) compromised in a data breach.
The US DHS is in the process of notifying 247,167 current and former staffers and an unknown number of additional people involved in DHS investigations that their PII was discovered in May 2017 in the possession of a former DHS Office of the Inspector General (OIG) employee who was part of an on-going criminal investigation. The database included PII from those who were employed by DHS in 2014 and a separate group subjects, such as, government employees, witnesses, and complainants associated with DHS OIG investigations from 2002 through 2014.
“The privacy incident did not stem from a cyber-attack by external actors, and the evidence indicates that affected individual's personal information was not the primary target of the unauthorised exfiltration,” said Philip Kaplan, DHS' chief privacy officer, in a statement.
DHS did not indicate whether the compromised PII has been used in a malicious manner.
The compromised information included in the exposed DHS employee database included names, Social Security numbers, dates of birth, positions, grades, and duty stations. This information had been compiled by the DHS OIG to conduct identity confirmation during investigations.
The information exposed for the group containing people directly associated with investigations was much more detailed and included data associated with on-going cases.
“The PII contained in this database varies for each individual depending on the documentation and evidence collected for a given case. Information contained in this database could include names, Social Security numbers, alien registration numbers, dates of birth, email addresses, phone numbers, addresses, and personal information provided in interviews with DHS OIG investigative agents,” Kaplan said.
DHS said it took eight months to reveal this news because the data breach was closely associated with an on-going criminal investigation.
The US government is offering 18 months of free credit monitoring to the affected individuals.