Homeland Security data breach compromises personal info of 247K DHS employees

A data breach at the Department of Homeland Security compromised the personal information of nearly a quarter of a million current and former DHS employees, including their names, Social Security numbers, birthdays, positions and pay grades, the agency said Wednesday.

Hundreds of thousands of past and present DHS employees have been notified about a May 2017 “privacy incident” affecting their personally identifiable information, DHS said in a statement.

The incident wasn’t the result of a cyberattack, but rather the doing of a former employee of agency’s Office of Inspector General (OIG), according to DHS.

“On May 10, 2017, as part of an ongoing criminal investigation being conducted by DHS OIG and the U.S. Attorney’s Office, DHS OIG discovered an unauthorized copy of its investigative case management system in the possession of a former DHS OIG employee,” the statement said.

The former DHS employee was caught having a database containing the personal information of approximately 247,167 current and former DHS workers, including their names, Social Security numbers, dates of birth, positions, grades and duty stations, the statement said.

The database also contained personal information involving an undisclosed number of DHS employees and non-DHS employees who were either subjects, witnesses or complainants associated with investigations launched by the agency’s OIG between 2002 and 2014, including their names, Social Security numbers and any personal details provided during the course of those probes, the statement said.

Individuals affected by the breach are being offered 18 months of free credit monitoring and identity protection services, DHS said.

“The Department of Homeland Security takes very seriously the obligation to serve the Department’s employees and is committed to protecting the information in which they are entrusted. Please be assured that we will make every effort to ensure this does not happen again,” said DHS Chief Privacy Officer Phillip S. Kaplan.

“DHS is implementing additional security precautions to limit which individuals have access to this information and will better identify unusual access patterns. We will continue to review our systems and practices in order to better secure data. DHS OIG has also implemented a number of security precautions to further secure the DHS OIG network,” Mr. Kaplan said in a statement.

DHS became aware of the breach last May and began notifying members of Congress that same month, USA Today first reported in November.

An investigation into the breach indicated that the data was stolen by three DHS OIG employees who had hoped to sell it, The New York Times subsequently reported.