The DHS noted in its alert that it used a third-party vendor to gather and store sensitive personally identifiable information (PII) for background investigations. An exploit could steal a raft of information stored in the vendor’s database, including name, Social Security numbers and date of birth.
"This vulnerability disclosure by the Department of Homeland Security is the latest example of the need for government agencies and enterprises to monitor and manage IT security risks downstream in the software supply chain,” said Torsten George, vice president of worldwide marketing, products and support at IT risk management vendor Agiliance, in an email to Infosecurity. “Since many organizations have hardened defense mechanisms against direct attacks targeting their front-office applications or network infrastructure, hackers are increasingly focusing on the IT supply chain as a new attack vector.”
Recent incidents where vulnerabilities in independent software vendor's products were exploited to indirectly compromise businesses include SCADA control system attacks in the energy and utilities sector, and the RSA Token breach in 2011.
While there’s no evidence that an enterprising hacker found the hole, DHS is alerting employees who submitted background investigation information and individuals who received a DHS clearance between July 2009 and May 2013 that they may be affected. The potential victims applied primarily for positions at DHS HQ, Customs and Border Protection (CBP), and Immigration and Customs Enforcement (ICE). DHS has set up a call center in conjunction with notifications.
The DHS said that the vulnerability has now been addressed, and CBP has issued a stop work and cure notice to the vendor based on its contract. DHS is “evaluating all legal options and is engaged with the vendor’s leadership to pursue all costs incurred mitigating the damages,” it said. And, the Department is also working with the vendor on notification requirements for current contractors, inactive applicants and former employees and contractors.
Potentially affected individuals can protect themselves by requesting that a fraud alert be placed on their credit file to let potential creditors know they should contact them before opening a new account in their name.
Organizations like the DHS can also take action to head these issues off at the pass. “In the past, many organizations relied on software vendors to test for vulnerabilities in their code base,” George said. “However, as cyber-attacks against the software supply chain increase, we expect organizations to extend their vulnerability assessments beyond vendor risk surveys and have third-party service providers test software applications prior to procurement and deployment. This will completely change the way we think about vulnerability management."