The Homeland Security Department is shedding new light on the details of a personal data breach from last year, and offering credit monitoring services to hundreds of thousands of DHS employees potentially affected by the breach.
The personal data breach, DHS warned, may have also impacted individuals who have contacted, or been contacted by the agency’s watchdog office, and have asked them to come forward.
In a letter sent Wednesday to more than 246,000 current and former DHS employees, Phillip Kaplan, the agency’s chief privacy officer, said individuals affected by a privacy breach at the Office of Inspector General last May would receive 18 months of free credit monitoring, and pointed them in the direction of where to sign up for the service.
The notice stems from an incident in May, when investigators discovered employees’ sensitive personal information on the home computer server of an OIG employee. The employee’s computer server also had copies of 159,000 case files from the OIG’s case management system. USA Today first reported about the breach in November.
“The privacy incident did not stem from a cyber-attack by external actors, and the evidence indicates that affected individuals’ personal information was not the primary target of the unauthorized exfiltration,” Kaplan wrote.
Authorities told the New York Times that three suspects, all former DHS OIG employees, planned to modify the office’s case management software and then market it back to other federal IG offices.
DHS cited an “ongoing criminal investigation” as part of the reason why affected federal employees were only now notified that their sensitive personal information was at risk.
“From May through November 2017, DHS conducted a thorough privacy investigation, extensive forensic analysis of the compromised data, an in-depth assessment of the risk to affected individuals, and comprehensive technical evaluations of the data elements exposed,” the agency wrote in a press release that included a copy of the breach notification letter. “These steps required close collaboration with law enforcement investigating bodies to ensure the investigation was not compromised.
DHS will provide current and former employees affected by the breach with 18 months of free credit monitoring and a $1 million identity theft insurance policy through the provider AllClear ID. The agency will also provide affected individuals with credit restoration and financial loss restoration services through AllClear ID, in the event of identity theft.
DHS recommends that affected employees request credit reports and credit freezes from the three major credit bureaus — Equifax, Experian and TransUnion. The agency also warned affected employees about possible phishing calls from would-be identity thieves looking to verify or obtain additional personal information.
“DHS will never contact you by phone and ask you to provide any sensitive/identifying information,” the agency said.
While DHS has reached out to one group of people possibly impacted by this breach, individuals employed by DHS in 2014, the second group of people targeted by this — the subjects, witnesses and complainants involved in DHS OIG investigations between 2002 and 2014 — have been harder to track down.
“Due to technological limitations, DHS is unable to provide direct notice to the individuals affected by the Investigative Data,” Kaplan wrote.
DHS said individuals associated with any DHS OIG investigation from 2002 and 2014 should contact AllClear ID for more information about credit monitoring and ID protection coverage.
In order to prevent future breaches, DHS OIG has further limited the number of individuals who have back-end access to its case management system and added new network controls to better detect unusual activity from approved users.
“The Department of Homeland Security takes very seriously the obligation to serve the Department’s employees and is committed to protecting the information in which they are entrusted,” Kaplan wrote. “Please be assured that we will make every effort to ensure this does not happen again. DHS is implementing additional security precautions to limit which individuals have access to this information and will better identify unusual access patterns. We will continue to review our systems and practices in order to better secure data.”