Privacy Incident Involving DHS Office of Inspector General Case Management System
By DHS Team
January 4, 2018
On January 3, 2018, select DHS employees received notification letters that they may have been impacted by a privacy incident related to the DHS Office of Inspector General (OIG) Case Management System. The privacy incident did not stem from a cyber-attack by external actors, and the evidence indicates that affected individual’s personal information was not the primary target of the unauthorized unauthorized transfer of data.
Message Received by Affected DHS Employees
This message is to inform you of a privacy incident involving a database used by the Department of Homeland Security’s (DHS) Office of the Inspector General (OIG). You may have been impacted by this privacy incident if you were employed by DHS in 2014, or if you were associated with a DHS OIG investigation from 2002 through 2014.
On May 10, 2017, as part of an ongoing criminal investigation being conducted by DHS OIG and the U.S. Attorney’s Office, DHS OIG discovered an unauthorized copy of its investigative case management system in the possession of a former DHS OIG employee.
This privacy incident involved the release of personally identifiable information (PII) contained in the DHS OIG case management system and affects two groups of individuals. The first group consists of approximately 247,167 current and former federal employees that were employed by DHS in 2014 (the “DHS Employee Data”). The second group is comprised of individuals (i.e., subjects, witnesses, and complainants) associated with DHS OIG investigations from 2002 through 2014 (the “Investigative Data”).
The privacy incident did not stem from a cyber-attack by external actors, and the evidence indicates that affected individual’s personal information was not the primary target of the unauthorized exfiltration.
All individuals potentially affected by this privacy incident are being offered 18 months of free credit monitoring and identity protection services. Notification letters were sent to all current and former employees who were potentially affected by the DHS Employee Data on December 18, 2017. Due to technological limitations, DHS is unable to provide direct notice to the individuals affected by the Investigative Data. Therefore, if you were associated with a DHS OIG investigation from 2002 through 2014, you may contact AllClear ID at (855) 260-2767 for information on credit monitoring and identity protections services.
The Department of Homeland Security takes very seriously the obligation to serve the Department’s employees and is committed to protecting the information in which they are entrusted. Please be assured that we will make every effort to ensure this does not happen again. DHS is implementing additional security precautions to limit which individuals have access to this information and will better identify unusual access patterns. We will continue to review our systems and practices in order to better secure data. DHS OIG has also implemented a number of security precautions to further secure the DHS OIG network.
We sincerely apologize for any inconvenience this may have caused. See below for additional information you may find useful.
Frequently Asked Questions
What information was compromised?
The compromised information included the personally identifiable information (PII) of two groups of individuals:
Why did it take from May 2017 to December 2017 to get a notice sent to those individuals who were affected?
The investigation was complex given its close connection to an ongoing criminal investigation. From May through November 2017, DHS conducted a thorough privacy investigation, extensive forensic analysis of the compromised data, an in-depth assessment of the risk to affected individuals, and comprehensive technical evaluations of the data elements exposed. These steps required close collaboration with law enforcement investigating bodies to ensure the investigation was not compromised.
What do I need to do?
DHS has arranged for AllClear ID to protect your identity for 18 months at no cost to you. The following identity protection services start on the date of this notice and you can use them at any time during the next 18 months.
After contacting AllClear, you will need to take additional steps in order to activate your phone alerts and other monitoring options available to you. AllClear staff will guide you through the process.
What else can I do to protect myself?
The Department’s Chief Privacy Officer and Chief Security Officer recommend that you help prevent unauthorized access and/or possible fraudulent activity on your financial accounts. Below are steps you can take to protect your identity.
Please be alert to any phone calls, emails, and other communications from individuals claiming to be from DHS, or other official sources asking for your personal information or asking that you verify such information. This is often referred to as information solicitation or “phishing.” DHS will never contact you by phone and ask you to provide any sensitive/identifying information.
Did this privacy incident include information about my spouse, children, other family members and/or close associates?
The 2014 DHS Employee File is a file that only contained information about individuals that were employed by DHS in 2014. This file did not include any information about employees’ spouses, children, family members and/or close associates.
The breach of the DHS OIG Case Files included individuals associated with DHS OIG investigations. Family members and close associates were impacted by this privacy incident only if they were involved in a DHS OIG investigation. If you, a family member, and/or close associate believe you/they were impacted by this incident, please contact AllClear ID at (855) 260-2767 for more information on credit monitoring and identity protection services.
Does this mean that all employees who appear in the 2014 DHS Employee File are or were under investigation by DHS OIG?
No. All employees’ information was in this file regardless of whether or not they were involved with an investigation. You were mailed a notification because DHS determined that you were included in the 2014 DHS Employee File. DHS OIG runs queries against this file to confirm the identities of individuals associated with DHS OIG investigations. In order for this search to function properly, the file must include all employees regardless of whether they are associated with an investigation.
I believe I was associated with a DHS OIG investigation from 2002 through 2014. Am I impacted by this privacy incident? What should I do?
You may be impacted by this privacy incident if you were associated with a DHS OIG investigation from 2002 through 2014 in any capacity including as a subject, complainant, or witness. If you believe you were associated with a DHS OIG investigation from 2002 through 2014, please contact AllClear ID at (855) 260-2767 for more information on credit monitoring and identity protection services.
What if I already have identity theft protection from a prior privacy incident?
You may have been offered similar services in the past if you were impacted by other cybersecurity or privacy incidents. If you are already enrolled in identity theft protection and credit monitoring services, the decision of whether to sign up for services provided by DHS is your choice. The Federal Trade Commission has helpful resources available on its website concerning identity theft and what steps you should take when an incident occurs https://www.ftc.gov/idtheft.
DHS OIG has implemented a number of security precautions to further secure the DHS OIG network which includes: