Data breach puts DHS employees at risk of identity theft

[Erica Absetz <erica () riskbasedsecurity com>]

http://www.federalnewsradio.com/473/3332836/Data-breach-puts-DHS-employees-at-risk-of-identity-theft

Tens of thousands of current and former Homeland Security Department
employees are at risk of identity theft after officials discovered a
vulnerability in a vendor's system used for processing background
investigations.

All DHS employees working in the headquarters office, for Customs and
Border Protection, and for Immigration and Customs Enforcement from
2009 to 2013 are the most affected, according to an internal notice
sent to employees, which was obtained by Federal News Radio and
confirmed by a DHS spokeswoman.

"As a result of this vulnerability, information including name, Social
Security numbers (SSN) and date of birth (DOB), stored in the vendor's
database of background investigations was potentially accessible by an
unauthorized user since July 2009," the internal notice stated.

A DHS spokeswoman emphasized there is no evidence that any employee
data was stolen or lost.

"The department takes its responsibility to safeguard personal
information seriously," the spokeswoman said by email. "At the
direction of DHS, the vulnerability was immediately addressed. While
there is no evidence to suggest that any information was
inappropriately accessed, out of abundance of caution, notifications
to potentially affected employees began today, outlining ways that
they can protect themselves, including requesting fraud alerts and
credit reports. DHS is evaluating all legal options while engaging
with the vendor to pursue all available remedies."

DHS said it found out about the breach from a law enforcement partner
and is investigating if the vendor had any data stolen. The agency
says, "The software vulnerability did not permit access to the actual
Standard Form 86, which contains information provided about other
individuals for the investigatory process."

DHS didn't say who the vendor is, but did say in a set of frequently
asked questions on its website that CBP "issued a stop work and cure
notice to the vendor based on its contract. DHS is evaluating all
legal options and is engaged with the vendor's leadership to pursue
all costs incurred mitigating the damages."

DHS suffered another contractor cybersecurity problem in 2007 when
congressional investigators said Unisys failed to secure unclassified
computers at headquarters and the Transportation Security
Administration.

Last year, a hacker group called Digital Corruption stole information
from users in the Transportation Worker Identification Credential
database, according to Dark Reading.

DHS is not alone in their struggles to secure information. The
Government Accountability Office found in a July 2012 report that
agencies reported more than 15,000 data breaches in 2011, up 19
percent from 2010.
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges.