DHS
The U.S. Department of Homeland Security emblem is pictured at an office in Arlington, Virginia, Sept. 24, 2010. Hyungwon Kang/Reuters

The Department of Homeland Security (DHS) announced Wednesday that data of over 240,000 current and former employees was breached from an internal source and was discovered during a criminal investigation into the actions of a former staff member of the Office of the Inspector General (OIG).

In a letter to employees, the DHS said that an unauthorized copy of its investigative case management system was found in the possession of a former DHS OIG employee. The number of affected employees was estimated to be around 247,167 including both current and former employees. They were all employed in the DHS in 2014.

There was no information regarding the former OIG employee and the DHS did not say why the former employee was under investigation.

The information in the file also included names, Social Security numbers, dates of birth, positions, grades and duty stations. The agency said it “did not include any information about employees’ spouses, children, family members and/or close associates.”

The agency confirmed that the incident was not due to an external cyber-attack from unknown sources but stemmed from a leak inside the DHS itself. The breach was eventually categorized as a “privacy incident.”

The department found about the leak way back in May last year. According to a statement on their website, “This privacy incident involved the release of personally identifiable information (PII) contained in the DHS OIG case management system and affects two groups of individuals. The first group consists of approximately 247,167 current and former federal employees that were employed by DHS in 2014 (the “DHS Employee Data”). The second group is comprised of individuals (i.e., subjects, witnesses, and complainants) associated with DHS OIG investigations from 2002 through 2014 (the “Investigative Data”).”

DHS also added that the data breach was not a malicious attack but a mistake and the leaked data was not a security or privacy threat to the affected.

DHS began notifying concerned employees only in November. The agency was quoted in the report as saying that “a thorough privacy investigation, extensive forensic analysis of the compromised data, an in-depth assessment of the risk to affected individuals, and comprehensive technical evaluations of the data elements exposed,” which is why there was a delay.

“The investigation was complex given its close connection to an ongoing criminal investigation. From May through November 2017, DHS conducted a thorough privacy investigation, extensive forensic analysis of the compromised data, an in-depth assessment of the risk to affected individuals, and comprehensive technical evaluations of the data elements exposed. These steps required close collaboration with law enforcement investigating bodies to ensure the investigation was not compromised,” the DHS release said.

DHS also offered 18 months of free credit monitoring and identity protection services through AllClear ID for all the effected current and former employees.

“All individuals potentially affected by this privacy incident are being offered 18 months of free credit monitoring and identity protection services. Notification letters were sent to all current and former employees who were potentially affected by the DHS Employee Data on December 18, 2017,” the release added.

DHS OIG also implemented a number of security precautions to further secure the DHS OIG network.