Insights & Analyses

DHS data breach exposes SSNs, names, positions & more of 247K US government workers

January 4, 2018

The U.S. Department of Homeland Security has disclosed that nearly a quarter-million current and former employees had personally identifiable information potentially compromised, after it was found in the possession of a former employee.

Notably, DHS has identified the breach as a “privacy incident,” and not a cyberattack. Their investigation also found that the data in question, affecting 247,167 workers, was not exposed to malicious activity.

Although the department was aware of the breach in May of 2017, it did not begin notification of affected parties until November. DHS said the time was needed to conduct a complex “extensive forensic analysis,” as the incident was close to an ongoing criminal investigation that authorities did not want to compromise.

Taken at face value, the time between discovery and disclosure could be seen as in violation of a proposed bill in the U.S. Senate which would require data breach disclosures to be made within 30 days of discovery.

To OWI Vice President of Cybersecurity Joe Stuntz, the categorization of the breach as a “privacy incident” is noteworthy, as privacy incidents can have different reporting requirements than cyber incidents. Such distinctions could play a key role going forward, particularly with any new regulations that might be passed to determine how organizations handle the aftermath of a data breach.

Stuntz also said that the breach, and questions over how to define it, highlight why the concept of trust and safety should be the focus for organizations going forward.

“This is a great example of why the definitions and lines that existed between hacking, privacy, fraud, and insider threat are meaningless today,” Stuntz said. “Regardless of how this event and any others are categorized, it doesn’t matter, as the organization has lost some of the trust of its employees, customers, and other stakeholders.”

OWI has led the charge in detailing how trust and safety are essential conditions for organizations to establish with clients and customers, and also how identity is central to establishing trust and safety. More details can be found in our full report, Commitment Issues: Trust & Safety Through the Digital Fog.