A DHS data breach exposed PII of over 250,000 people

News roundup: A DHS data breach exposed PII of 250,000 federal employees, as well as investigative data from 2002 to 2014. Plus, a new bill aims to nix paperless voting, and more.

A data breach at the U.S. Department of Homeland Security exposed the personally identifiable information of over 250,000 federal government employees, as well as an unspecified number of people connected with DHS investigations.

DHS released a statement Jan. 3, 2018, that confirmed the exposure of "approximately 246,167" federal government employees who worked directly for DHS in 2014. It also disclosed the breach of a database for the Office of Inspector General that contained the personally identifiable information (PII) of any person -- not necessarily employed by the federal government -- who was associated with OIG investigations from 2002 to 2014. This includes subjects, witnesses and complainants.

In its statement, the department emphasized the DHS data breach was not caused by a cyberattack and referred to it as a "privacy incident."

"The privacy incident did not stem from a cyber-attack by external actors, and the evidence indicates that affected individual's personal information was not the primary target of the unauthorized unauthorized [sic] transfer of data," DHS said.

The DHS data breach was initially found in May 2017 during a separate, ongoing DHS OIG criminal investigation in which it was discovered that a former DHS employee had an unauthorized copy of the department's case management system.

However, individuals affected by the DHS data breach weren't notified until Jan. 3, 2018. In its statement, DHS addressed why the notification process took so long.

"The investigation was complex given its close connection to an ongoing criminal investigation," the department said. "From May through November 2017, DHS conducted a thorough privacy investigation, extensive forensic analysis of the compromised data, an in-depth assessment of the risk to affected individuals, and comprehensive technical evaluations of the data elements exposed. These steps required close collaboration with law enforcement investigating bodies to ensure the investigation was not compromised."

The DHS employee data breach exposed PII that included names, Social Security numbers, dates of birth, positions, grades and duty stations of DHS employees; the DHS investigative data breach exposed names, Social Security numbers, dates of birth, alien registration numbers, email addresses, phone numbers, addresses and other personal information that was provided to the OIG during investigative interviews with its agents.

DHS is offering free identity protection and credit-monitoring services for 18 months to affected individuals. The department said it has also taken steps to improve its network security going forward, including "placing additional limitations on which individuals have back end IT access to the case management system; implementing additional network controls to better identify unusual access patterns by authorized users; and performing a 360-degree review of DHS OIG's development practices related to the case management system."

While the affected government employees were notified directly about the breach, DHS stated, "Due to technological limitations, DHS is unable to provide direct notice to the individuals affected by the Investigative Data."

DHS urged anyone associated with a DHS OIG investigation between 2002 and 2014 to contact AllClear ID, the Austin, Texas, breach response service retained by DHS to provide credit-monitoring and identity protection services to affected individuals.

In other news:

  • A group of senators has introduced a bill to secure U.S. elections. The Secure Elections Act is a bipartisan bill that aims to provide federal standards for election security. One measure proposed in the bill is to eliminate the use of paperless voting machines, which are regarded by election security experts as the least secure type of voting machines in use in today. Paperless voting machines don't allow for audits, which the proposed legislation also wants to make a standard practice in all elections. The idea is that audits after every election will deter foreign meddling in American democracy like Russia's interference in the 2016 U.S. presidential election. "An attack on our election systems by a foreign power is a hostile act and should be met with appropriate retaliatory actions, including immediate and severe sanctions," the bill states. The bill was sponsored by Sen. James Lankford (R-Okla.) and co-sponsors Sens. Amy Klobuchar (D-Minn.), Lindsey Graham (R-S.C.), Kamala Harris (D-Calif.), Susan Collins (R-Maine) and Martin Heinrich (D-N.M.).
  • Attackers exploited a vulnerability in Google Apps Script to automatically download malware onto a victim's system through Google Drive. Discovered by researchers at Proofpoint, the vulnerability in the app development platform enabled social-engineering attacks that tricked victims into clicking on malicious links that triggered the malware downloaded on their computer. The researchers also found the exploit could happen without any user interaction. Google has taken steps to fix the flaw by blocking installable and simple triggers, but the researchers at Proofpoint said there are bigger issues at work. The proof of concept for this exploit "demonstrates the ability of threat actors to use extensible SaaS platforms to deliver malware to unsuspecting victims in even more powerful ways than they have with Microsoft Office macros over the last several years," the research team said in a blog post. "Moreover, the limited number of defensive tools available to organizations and individuals against this type of threat make it likely that threat actors will attempt to abuse and exploit these platforms more often as we become more adept at protecting against macro-based threats." The researchers went on to note that, in order to combat this threat, "organizations will need to apply a combination of SaaS application security, end user education, endpoint security, and email gateway security to stay ahead of the curve of this emerging threat."
  • The United States federal government is nearing its deadline to implement the domain-based message authentication, reporting and conformance (DMARC) tool. In October 2016, the DHS announced it would mandate the use of DMARC and HTTPS in all departments and agencies that use .gov domains. DHS gave those departments and agencies a 90-day deadline to implement DMARC and HTTPS, which means the Jan. 15, 2018, deadline is soon approaching. According to security company Agari, as of mid-December, 47% of the federal government domains were now using DMARC, compared to 34% the month before. Another requirement within this mandate is federal agencies are required to use the strongest "reject" setting in DMARC within a year. This means emails that fail authentication tests will be less likely to make it to government inboxes -- i.e., be rejected. Agari reported a 24% increase in the use of higher "reject" settings in the last month. On the flip side, Agari noted that most agency domains (84%) are still unprotected, with no DMARC policy.

Dig Deeper on Data security and privacy