A data breach targeted towards the Department of Homeland Security (DHS) has resulted in the exposure of personally identifiable information of over 240,000 DHS employees (247,167 to be precise) including both current and former personnel.
Reportedly, the DHS Office of the Inspector General (OIG) Case Management System was accessed and data belonging to individuals linked with previous investigations by the department was obtained. The breach occurred in 2014 while affected individuals were employed by the DHS in 2014. The investigations were carried out by the OIG between 2002 and 2014.
More: Misconfigured Amazon S3 Buckets Exposed US Military’s Social Media Spying Campaign
As per the details provided by the agency, the data breach is not a result of a cyber-attack or malicious activity but documents that were in possession of a former OIG employee was discovered by threat actors. The former OIG employee’s identity hasn’t been revealed by the department as yet and the criminal investigation’s direction is also being kept under wraps. The breach was identified on 10 May 2017.
In a statement issued by the DHS on Wednesday, it was noted that affected individuals have been notified of the data breach, which the department referred to as a “privacy incident.” Furthermore, it was revealed that according to the evidence, the affected individuals’ private data was not the “primary target.”
Information leaked by the data breach includes names, dates of birth, Social Security numbers, duty stations, positions, and grades. It took the department seven months’ time to notify the affected employees primarily because of the complexity of the issue since the data was connected to an on-going criminal investigation.
“May through November 2017, DHS conducted a thorough privacy investigation, extensive forensic analysis of the compromised data, an in-depth assessment of the risk to affected individuals, and comprehensive technical evaluations of the data elements exposed.”
Moreover, DHS revealed that not just private data of its employees, extensive details about the investigations carried out by the department have become vulnerable. The details include information about the “subjects, witnesses and complainants” that include both DHS and non-DHS employees.
The department also noted that personal information from the investigation contains varying records about individuals since every case required a different set of evidence, interviews, and documentation. The data, however, does not include information about spouses or family members of the employees.
At the time the breach occurred, retired USMC General John F. Kelly was DHS chief and now he is serving as chief of staff for President Donald Trump while Trump’s ex-deputy chief Kirstjen Nielsen took the position of DHS last month.
More: Unprotected S3 Cloud Bucket Exposed 100GB of Classified NSA Data