The United States Department of Homeland Security (DHS) has confirmed the breach of the DHS Office of Inspector General (OIG) Case Management System (CMS), affecting approximately 247,167 individuals employed by DHS in 2014, as well as individuals including subjects, witnesses, and complainants associated with DHS OIG investigations from 2002 through 2014.
DHS issued a statement on Wednesday after it sent the affected individuals a letter notifying them that they may have been impacted by a "privacy incident" relating to the CMS.
It held firm that the privacy incident did not stem from a cyber attack by external actors, and that "the evidence indicates that affected individual's personal information was not the primary target of the unauthorised transfer of data".
DHS said that on May 10, 2017, DHS OIG discovered an unauthorised copy of its CMS in the possession of a former DHS OIG employee as part of an ongoing criminal investigation.
"The privacy incident did not stem from a cyber attack by external actors, and the evidence indicates that affected individual's personal information was not the primary target of the unauthorised exfiltration," DHS wrote to those affected.
Notification letters were sent to all current and former employees who were potentially affected by the DHS Employee Data on December 18, 2017, and said that due to technological limitations, DHS is unable to provide direct notice to the individuals affected by the Investigative Data. It has asked those individuals to reach out to the department.
In the letter penned by DHS chief privacy officer Phillip S Kaplan, the department offered all individuals potentially affected by the incident 18 months of free credit monitoring and identity protection services.
"The Department of Homeland Security takes very seriously the obligation to serve the department's employees, and is committed to protecting the information in which they are entrusted," the department wrote. "Please be assured that we will make every effort to ensure this does not happen again."
DHS said it is implementing additional security precautions to limit which individuals have access to its information, as well as more stringent checks to identify unusual access patterns.