Data breach puts DHS (Department of Homeland Security) employees at risk of identity theft


Tens of thousands of current and former Homeland Security Department employees are at risk of identity theft after officials discovered a vulnerability in the vendor’s system for processing background investigations.

All DHS employees working in the headquarters office, for the Customs and Border Protection and for the Immigration and Customs Enforcement components from 2009 to 2013 are the most affected, according to an internal notice sent to employees, which was obtained by Federal News Radio and confirmed by a DHS spokeswoman.

“As a result of this vulnerability, information including name, Social Security numbers (SSN) and date of birth (DOB), stored in the vendor’s database of background investigations was potentially accessible by an unauthorized user since July 2009,” the internal notice stated.

A DHS spokeswoman emphasized there is no evidence that any employee data was stolen or lost.

“The department takes its responsibility to safeguard personal information seriously,” the spokeswoman said by email. “At the direction of DHS, the vulnerability was immediately addressed. While there is no evidence to suggest that any information was inappropriately accessed, out of abundance of caution, notifications to potentially affected employees began today, outlining ways that they can protect themselves, including requesting fraud alerts and credit reports. DHS is evaluating all legal options while engaging with the vendor to pursue all available remedies.”

DHS said it found out about the breach from a law enforcement partner and is investigating if the vendor had any data stolen. The agency says, “The software vulnerability did not permit access to the actual Standard Form 86, which contains information provided about other individuals for the investigatory process.”

DHS didn’t say who the vendor is, but did say in a set of frequently asked questions on its website that CBP “issued a stop work and cure notice to the vendor based on its contract. DHS is evaluating all legal options and is engaged with the vendor’s leadership to pursue all costs incurred mitigating the damages.”

DHS suffered another contractor cybersecurity problem in 2007 when congressional investigators said Unisys failed to secure unclassified computers at headquarters and the Transportation Security Administration.

Last year, a hacker group called Digital Corruption stole information from users in the Transportation Worker Identification Credential database, according to Dark Reading.

DHS is not alone in their struggles to secure information. The Government Accountability Office found in a July 2012 report that agencies reported more than 15,000 data breaches in 2011, up 19 percent from 2010.

There response:

Response to Potential PII Incident

The Department of Homeland Security (DHS) has recently learned of a vulnerability that existed in the software used by a DHS vendor to process personnel security investigations. The software gathers and stores sensitive personally identifiable information (PII) for background investigations. As a result of this vulnerability, information including name, Social Security numbers (SSN) and date of birth (DOB), stored in the vendor’s database of background investigations was potentially accessible by an unauthorized user. At the direction of DHS, the vulnerability was immediately addressed. While there is no evidence that any unauthorized user accessed any personally identifiable information, out of abundance of caution, DHS is alerting employees and individuals who received a DHS clearance, of the potential vulnerability and outlining ways that they can protect themselves, including requesting fraud alerts and a credit report. DHS takes its responsibility to safeguard PII seriously and that information is protected.

CBP has issued a stop work and cure notice to the vendor based on its contract. DHS is evaluating all legal options and is engaged with the vendor’s leadership to pursue all costs incurred mitigating the damages.

During the week of May 20, 2013, DHS is alerting employees of the potential vulnerability and outlining ways that they can protect themselves, including requesting fraud alerts and credit reports. The Department is also working with the vendor on notification requirements for current contractors, inactive applicants, and former employees and contractors. To ensure that affected individuals’ concerns are addressed, DHS has stood up a call center in conjunction with notifications.

Potentially affected individuals can protect themselves by requesting that a fraud alert be placed on their credit file to let potential creditors know to contact them before opening a new account in their name. Potentially affected individuals call any one of the three credit reporting agencies at the phone numbers listed below. The company contacted will contact the other two credit reporting agencies on the individuals behalf to have the fraud alert placed on their file.

My question is if Department of Homeland Security can be hacked because of a vendor software issue..Are you sure your network is secure and are all your vendors coming from a IP that you can control on your firewall…long short is NO PORTS should be open on your firwall except 443 and that should only be for IPSEC VPN..Then think do you really need BYOD’s accessing your network if they do it should only be via IPSEC with MAC address control

Tags: , , , , , , , ,

Comments are closed.

%d bloggers like this: