Possible breach of DHS employee data has an unusual twist

[InfoSec News <alerts () infosecnews org>]

http://gcn.com/articles/2013/06/03/dhs-data-breach-employee-info.aspx

By William Jackson
GCN.com
Jun 03, 2013

The Homeland Security Department has notified some employees that 
personally identifiable information used for security clearances and 
stored in a third-party database could have been exposed to unauthorized 
users.

The notifications came after DHS was alerted to a vulnerability in the 
vendor software by a “law enforcement partner.” According to a public 
notice the vulnerability could have been in place for as long as four 
years but has been addressed after being identified.

The department said there is no evidence that the information, which 
included Social Security numbers and dates of birth, had been improperly 
accessed, although it is investigating what, if any, personally 
identifiable data might have been accessed since 2009. The fact that law 
enforcement was involved raises the possibility that a breach occurred. 
DHS officials have declined to comment on the incident beyond the public 
notice.

It is not surprising that DHS was notified by a third party of the 
vulnerability. Most vulnerabilities are discovered by legitimate “white 
hat” researchers, who usually report them to the software vendor before 
they are publicly disclosed. In this case, it was law enforcement rather 
than researchers that appear to have discovered the problem. Whether it 
was part of an active investigation into a security breach is not known.

Many security breaches go unnoticed by victims. According to the Verizon 
2013 Data Breach Investigation Report, 69 percent of breaches analyzed 
in the report were discovered by external parties, and 66 percent of 
breaches took months or longer to discover.

[...]

______________________________________________
Visit the InfoSec News Security Bookstore
Best Selling Security Books and More!
http://www.shopinfosecnews.org