The US Department of Homeland Security (DHS) has confirmed a major privacy leak affecting nearly a quarter of a million employees as well as others associated with departmental investigations.
The agency revealed in a statement yesterday that the “privacy incident” did not stem from an external attack and that “affected individuals’ personal information was not the primary target of the unauthorized transfer of data.”
The incident relates to a database containing personally identifiable information (PII) used by the DHS Office of the Inspector General (OIG).
The statement added:
“On May 10, 2017, as part of an ongoing criminal investigation being conducted by DHS OIG and the US Attorney’s Office, DHS OIG discovered an unauthorized copy of its investigative case management system in the possession of a former DHS OIG employee.”
Two groups of people are affected: 247,167 current and former DHS employees who worked at the department in 2014 and individuals such as subjects, witnesses and complainants associated with DHS OIG investigations from 2002-2014.
No further details were given on how many total individuals were affected by the leak, or what the aim of the original “unauthorized exfiltration” of data was.
Affected employees have already been notified by letter, but the DHS claimed it was unable to do the same for individuals from the second group — those involved in DHS OIG investigations from 2002-2014.
The department has offered the usual 18 months of free credit monitoring and identity protection services, with those who think they might be affected encouraged to contact AllClear ID for more information.
The DHS said it is implementing additional “security precautions” to limit user access to sensitive information and better identify unusual access patterns — best practices steps which many will argue should have already been in place.