DHS Workers' PII Exposed for Nearly 4 YearsVulnerability Found in System Processing Background Checks
A Department of Homeland Security system used to conduct background checks may have exposed personally identifiable information of employees and contractors for nearly four years.
The vulnerability, found in software provided by a vendor, was discovered by a DHS law enforcement partner, which informed the department this past week. Neither the vendor nor law enforcement agency was identified by DHS.
DHS, which says it addressed immediately the vulnerability, is investigating to determine what, if any, personally identifiable information may have been accessed by unauthorized individuals.
No evidence exists of unauthorized users accessing the personally identifiable information, which included names, Social Security numbers and dates of birth, according to a DHS website posting.
DHS did not respond to a number of questions regarding the nature of the vulnerability, including the number of individuals whose information was exposed, details about the system, who had access to it and how the information was exposed. The department did issue the following statement, attributed to a spokesperson:
"Out of abundance of caution, notifications to potentially affected employees began today, outlining ways that they can protect themselves, including requesting fraud alerts and credit reports. DHS is evaluating all legal options while engaging with the vendor to pursue all available remedies."
The exposed information was of employees and contractors who submitted background investigation information between July 2009 and this month, primarily for positions at DHS headquarters and the Custom and Border Protection and Immigration and Customs Enforcement units. It also could include personally identifiable information of individuals that received DHS security clearance since July 2009.
DHS says it has determined that other information provided in the Standard Form-86, the standard security questionnaire prospective employees fill out, was not exposed.
Custom and Border Protection has issued a stop work and cure notice to the vendor. DHS says it's evaluating all legal options and is engaged with the vendor's leaders to pursue all costs incurred mitigating the damages. DHS did not disclose the amount of damages.
DHS says it's making every effort to reach out to former employees, applicants, former contractors and similar individuals who received a DHS clearance that may be affected. "DHS takes its responsibility to protect PII seriously," a department statement says. "Contracts with security vendors who provide the same type of services as the vendor in question are being reviewed to ensure all necessary requirements for protecting PII are incorporated and that compliance mechanisms and incident response are included."
The department says it's working with the vendor on notification requirements for current contractors, inactive applicants and former employees and contractors. To ensure that affected individuals' concerns are addressed, DHS has stood up a call center in conjunction with notifications. The call center can be reached at 855-891-2739 between 8 am and 8 pm EST or firstname.lastname@example.org.