DHS notifies employees of PII potential data breach


The Homeland Security Department says software utilized by a vendor that processes personnel security investigation had a vulnerability that may have allowed a data breach of elements including Social Security numbers.

In an announcement that went online earlier this month, DHS says a law enforcement agency notified it of the vulnerability and that it may affect those who received a DHS clearance between July 2009 and May 2013, "primarily for positions at DHS HQ, Customs and Border Protection and Immigration and Customs Enforcement."

The vendor stored data include Social Security numbers, names and dates of birth – three elements that together enable identity thieves to act. There is no evidence that such data was actually ever accessed by an unauthorized user, the notice says, adding that it is notifying employees "out of abundance of caution"

DHS doesn't specify what the vulnerability was. Based on other data breach incidents, causes could range from the banal, such as a terminated employee's unrevoked system access or database access privileges granted to an unqualified employee, to more troubling reasons such weak user authentication or lack of encryption – but the agency is silent on that and the identity of the vendor. The notice does state that CBP sent it a stop work and cure notice, and that DHS "is evaluating all legal options and is engaged with the vendor to pursue all available remedies."

The DHS notice doesn't provide potentially affected employees credit monitoring or other credit-services, but it does provide the toll-free numbers of credit bureaus and notes that individuals can request insertion of a fraud alert into their files. It also has a link to the Federal Trade Commission's identify theft website.

For more:
-  go to the DHS notice

Related Articles:
SAM may have exposed contractor information
State Department still vulnerable to WikiLeaks-style breach, say auditors
Thrift Board hacked