Tens of thousands of current and former Homeland Security Department employees are at risk of identity theft after officials discovered a vulnerability in a vendor’s system used for processing background investigations.
All DHS employees working in the headquarters office, for Customs and Border Protection, and for Immigration and Customs Enforcement from 2009 to 2013 are the most affected, according to an internal notice sent to employees, which was obtained by Federal News Radio and confirmed by a DHS spokeswoman.
“As a result of this vulnerability, information including name, Social Security numbers (SSN) and date of birth (DOB), stored in the vendor’s database of background investigations was potentially accessible by an unauthorized user since July 2009,” the internal notice stated.
A DHS spokeswoman emphasized there is no evidence that any employee data was stolen or lost.
“The department takes its responsibility to safeguard personal information seriously,” the spokeswoman said by email. “At the direction of DHS, the vulnerability was immediately addressed. While there is no evidence to suggest that any information was inappropriately accessed, out of abundance of caution, notifications to potentially affected employees began today, outlining ways that they can protect themselves, including requesting fraud alerts and credit reports. DHS is evaluating all legal options while engaging with the vendor to pursue all available remedies.”
DHS said it found out about the breach from a law enforcement partner and is investigating if the vendor had any data stolen. The agency says, “The software vulnerability did not permit access to the actual Standard Form 86, which contains information provided about other individuals for the investigatory process.”
DHS didn’t say who the vendor is, but did say in a set of frequently asked questions on its website that CBP “issued a stop work and cure notice to the vendor based on its contract. DHS is evaluating all legal options and is engaged with the vendor’s leadership to pursue all costs incurred mitigating the damages.”
DHS suffered another contractor cybersecurity problem in 2007 when congressional investigators said Unisys failed to secure unclassified computers at headquarters and the Transportation Security Administration.
Last year, a hacker group called Digital Corruption stole information from users in the Transportation Worker Identification Credential database, according to Dark Reading.
DHS is not alone in their struggles to secure information. The Government Accountability Office found in a July 2012 report that agencies reported more than 15,000 data breaches in 2011, up 19 percent from 2010.