The names, social security numbers, addresses, and other personal identifying information of more than 240,000 current and former U.S. Department of Homeland Security employees have been stolen.
The data breach of the DHS Office of Inspector General (OIG) Case Management System affected 247,167 employees in 2014 as well as subjects, witnesses, and complainants involved in investigations from 2002 to 2014, DHS wrote in a release on Wednesday.
While the amount of compromised data varies for each individual depending on the “documentation and evidence collected for a given case,” information stolen from non-employees could include “names, Social Security numbers, alien registration numbers, dates of birth, email addresses, phone numbers, addresses, and personal information provided in interviews with DHS OIG investigative agents.” The stolen information on current and former employees includes “names, Social Security numbers, dates of birth, positions, grades, and duty stations.”
The department claims the information in this incident was not acquired from a cyberattack by an external actor. It’s still unclear how its systems were compromised. The department said it found an unauthorized copy of its investigative case management system in the possession of a former DHS OIG employee. It didn’t name the employee but said evidence indicates the stolen information was not their primary target. Regardless, the incident should raise red flags, especially for private citizens involved in legal disputes as witnesses or complainants.
The DHS knew about the data breach in May but chose not to notify those who were affected until it completed an investigation.
“The investigation was complex given its close connection to an ongoing criminal investigation,” the department wrote. “From May through November 2017, DHS conducted a thorough privacy investigation, extensive forensic analysis of the compromised data, an in-depth assessment of the risk to affected individuals, and comprehensive technical evaluations of the data elements exposed.”
As a response to the data breach, the DHS says it will implement additional security precautions to limit who can access its systems and quickly identify when it has been compromised.
All individuals potentially affected by the breach will be given 18 months of free credit monitoring and identity protection services. The DHS is sending notification letters out to all current and former employees whose information was stolen. However, it claims “technical limitations” prevent it from notifying “non-DHS employees.”
It did not specify how many private citizens were affected. If you were involved in a DHS OIG investigation between 2002 and 2014, you are eligible for credit monitoring. The DHS recommends you call AllClear ID at (855) 260-2767 for more information.