Roughly 250,000 Department of Homeland Security employees are being notified of an unauthorized release of their personal data because of circumstances a former DHS official says are “different than your typical cyber breach.”
The department discovered in May that an unauthorized copy of its investigative case management system was in the possession of a former employee of the DHS Office of Inspector General. According to the DHS, it delayed announcing the data breach until now because of the complexity of its subsequent investigation.
The current breach looks like “an insider threat” by a former employee rather than a state-sponsored cyber attack, Jonathan E. Meyer, privacy and cybersecurity partner at Sheppard, Mullin, Richter & Hampton LLP in Washington, told Bloomberg Law Jan. 5. “This appears quite different than your typical cyber breach.”
Meyer was deputy general counsel at DHS under former President Barack Obama.
Risk Low This Time
“Over the last few years at DHS, we confronted cyber attacks on sensitive personal data by organized outsiders, including state-sponsored attacks. This is not that,” Meyer said in an email.
“So, the risk of actual invasion of privacy is low, but DHS did the absolute right thing in notifying affected individuals and offering them credit monitoring and identity theft insurance,” Meyer said.
This isn’t the first time federal employees have been subjected to unauthorized releases of their personal information.
The Office of Personnel Management in June 2015 disclosed that a pair of data breaches had compromised the information of about 22.1 million people, including federal employees, job applicants, contractors, and their families. Katherine Archuleta, the former OPM director, and Donna Seymour, the agency’s former chief information officer, both left the OPM following the well-publicized data breaches.
Two Groups Affected
The new breach affects two groups: 247,167 people who were employed by the department in 2014 and those “associated with DHS OIG investigations from 2002 through 2014" as subjects, witnesses, or complainants, the DHS said.
“The privacy incident did not stem from a cyber-attack by external actors, and the evidence indicates that affected individuals’ personal information was not the primary target” of the data transfer, a Jan. 3 message to employees from DHS Chief Privacy Officer Philip Kaplan said. The department nonetheless is offering identity protection services to those affected, he said.
“All individuals potentially affected by this privacy incident are being offered 18 months of free credit monitoring and identity protection services,” Kaplan wrote.
Notification letters were sent Dec. 18 to the current and former employees who were potentially affected by the breach, he said.
The DHS is asking people involved with DHS OIG investigations from 2002 through 2014 to contact AllClear ID at 855-260-2767 for information on credit monitoring and identity protections services, Kaplan added.
For those who worked at the department in 2014, the information taken includes names, Social Security numbers, dates of birth, positions, grades, and duty stations, the DHS said.
Information taken for those involved in the OIG investigations varies for each individual depending on the documentation and evidence collected. The data could include names, Social Security numbers, alien registration numbers, dates of birth, email addresses, phone numbers, addresses, and personal information provided to OIG investigators, the department said.
“DHS is implementing additional security precautions to limit which individuals have access to this information and will better identify unusual access patterns,” Kaplan wrote. “We will continue to review our systems and practices in order to better secure data.”