The US Department of Homeland Security has suffered a data breach exposing sensitive, personally identifiable information of more than 240,000 former and current employees. The DHS issued a statement on Wednesday (3 January) after notifying affected individuals regarding a "privacy incident" involving the DHS Office of Inspector General's Case Management System (CMS).
The breach affected 247,167 people employed by the DHS in 2014 along with subjects, witnesses, and complainants associated with DHS OIG investigations from 2002 through 2014, the department said. The DHS employee data exposed included names, Social Security numbers, dates of birth, positions, grades and duty stations.
"This file did not include any information about employees' spouses, children, family members and/or close associates," the DHS said.
For affected individuals associated with DHS OIG investigations, names, Social Security numbers, alien registration numbers, dates of birth, email addresses, phone numbers, addresses and other personal information provided in interviews with DHS agents were compromised.
The DHS emphasised that the incident was not the result of a cyberattack by nefarious threat actors and the affected individuals' personal information was not the primary target of the breach.
In May 2017, an unauthorised copy of the files was discovered in the possession of a former DHS OIG employee, the department discovered in an ongoing criminal investigation.
"The investigation was complex given its close connection to an ongoing criminal investigation," the DHS said in a statement. "From May through November 2017, DHS conducted a thorough privacy investigation, extensive forensic analysis of the compromised data, an in-depth assessment of the risk to affected individuals, and comprehensive technical evaluations of the data elements exposed.
"These steps required close collaboration with law enforcement investigating bodies to ensure the investigation was not compromised."
The DHS has not revealed the identity of the ex-employee or provided any details regarding the ongoing investigation.
Notification letters have been sent to all current and former DHS employees who may have been impacted by the breach on 18 December 2017. However, the department is unable to directly notify other individuals affected by the breach due to "technological limitations". It has asked people involved in DHS OIG investigations between 2002 and 2014 to reach out to the department.
All potentially affected individuals have been offered 18 months of free credit monitoring and identity protection services. They have also been asked to be wary of any suspicious phone calls from people claiming to be from the DHS and any enquiries asking for their sensitive and personal information.
"The Department of Homeland Security takes very seriously the obligation to serve the Department's employees and is committed to protecting the information in which they are entrusted," DHS Chief Privacy Officer Phillip Kaplan said.
The DHS said it is implementing additional security precautions to limit access to its information and will apply stringent checks to identify any unusual access patterns.
"Please be assured that we will make every effort to ensure this does not happen again," Kaplan said. "We sincerely apologise for any inconvenience this may have caused."