The US DHS Office of Inspector General (OIG) has confirmed that the “privacy incident” discovered in May 2017 resulted in the theft of personally identifiable information of DHS employees and individuals associated with investigations.
The incident was the result of an attempted inside job by three DHS OIG employees who, according to the New York Times, stole the OIG’s computer system with the plan to “modify the proprietary software for managing investigative and disciplinary cases, so that they could market and sell it to other inspector general offices across the federal government.”
All in all, data on approximately 247,167 current and former DHS employees, as well as of an unspecified number of subjects, witnesses, and complainants associated with DHS OIG investigations from 2002 through 2014, was found on the home computer server of one of the three insiders.
The data included:
- Names, Social Security numbers, dates of birth, positions, grades, and duty stations of the employees, and
- Names, Social Security numbers, alien registration numbers, dates of birth, email addresses, phone numbers, and addresses of individuals associated with investigations, as well as any personal information they provided in interviews with DHS OIG investigative agents.
According to the OIG, “the evidence indicates that affected individual’s personal information was not the primary target of the unauthorized unauthorized transfer of data.”
Nevertheless, the DHS is offering to all individuals potentially affected by this incident 18 months of free credit monitoring and identity protection services.
Why were notifications to affected individuals sent so late?
The affected employees was contacted directly, but due to technological limitations, the department wasn’t able to send notices to the other individuals whose data was compromised. They are expected to get in touch with the AllClear ID service in order to take advantage of the offer.
The DHS says that they did not send out the notices before December 2017 because “the investigation was complex given its close connection to an ongoing criminal investigation.” It took them until November to finish the forensic analysis of the compromised data an assess the risk to affected individuals.
To prevent this type of incident from happening again, they have implemented additional security precautions to limit which individuals have access to this type of information, and additional network controls to better identify unusual access patterns by authorized users.
“If this isn’t a case of poorly governed access to applications and data, I don’t know what is. Governing access to data (and applications) is the process of ensuring only the right people have the right access to the right data (and apps) at the right time – and you can prove it. It seems that DHS has failed on this account by allowing the wrong person to have access to inappropriate data…and their auditing infrastructure was unable to show it,” noted Daniel Conrad, Identity and Access Management Specialist at One Identity.
“Had DHS acquired and deployed a robust identity and access management platform, it may have been able to avert this calamity by first, ensuring only the right people have access to this type of sensitive data. Secondly, a robust framework would also have strong auditing and segregation of duties and capabilities that may have alerted the right people at DHS that this volume of sensitive data was ‘leaving the building.'”