Philip Kaplan, chief privacy officer of the US Department of Homeland Security, has confirmed in a statement that a 2014 security breach exposed personally identifiable information of more than 240,000 people who worked for the department in the previous 12 years, as well as subjects, witnesses and complainants in investigations.
An unauthorized copy of the database was found during a criminal investigation on the home server of a former employee.
“From May through November 2017, DHS conducted a thorough privacy investigation, extensive forensic analysis of the compromised data, an in-depth assessment of the risk to affected individuals, and comprehensive technical evaluations of the data elements exposed,” reads the press release.
“These steps required close collaboration with law enforcement investigating bodies to ensure the investigation was not compromised.”
Although the data was leaked in 2014, the leak was detected in May 2017 and reported by media outlets in November. A number of DHS employees have been informed via email that their personal data may have been exposed, including Social Security Numbers, dates of birth, addresses, phone numbers, positions, grades, and duty stations. The leaked database contained no information about family members.
“This message is to inform you of a privacy incident involving a database used by the Department of Homeland Security’s (DHS) Office of the Inspector General (OIG),” wrote the Office of the Inspector General (OIG).
“You may have been impacted by this privacy incident if you were employed by DHS in 2014, or if you were associated with a DHS OIG investigation from 2002 through 2014. “
DHS will take further precautions to strengthen its security system. People affected will receive free identity protection services for 18 months.
“The privacy incident did not stem from a cyber-attack by external actors, and the evidence indicates that affected individual’s personal information was not the primary target of the unauthorized transfer of data.”
According to the New York Times reporting in November, the inside job was run by three employees who had stolen the computer system to alter the software used in investigations and then sell it to other offices in federal government.
The IRS, the NSA and other agencies have also dealt with similar privacy incidents in the past.