Information Security News
mailing list archives
Possible breach of DHS employee data has an unusual twist
From: InfoSec News <alerts () infosecnews org>
Date: Tue, 4 Jun 2013 02:26:51 -0500 (CDT)
By William Jackson
Jun 03, 2013
The Homeland Security Department has notified some employees that
personally identifiable information used for security clearances and
stored in a third-party database could have been exposed to unauthorized
The notifications came after DHS was alerted to a vulnerability in the
vendor software by a “law enforcement partner.” According to a public
notice the vulnerability could have been in place for as long as four
years but has been addressed after being identified.
The department said there is no evidence that the information, which
included Social Security numbers and dates of birth, had been improperly
accessed, although it is investigating what, if any, personally
identifiable data might have been accessed since 2009. The fact that law
enforcement was involved raises the possibility that a breach occurred.
DHS officials have declined to comment on the incident beyond the public
It is not surprising that DHS was notified by a third party of the
vulnerability. Most vulnerabilities are discovered by legitimate “white
hat” researchers, who usually report them to the software vendor before
they are publicly disclosed. In this case, it was law enforcement rather
than researchers that appear to have discovered the problem. Whether it
was part of an active investigation into a security breach is not known.
Many security breaches go unnoticed by victims. According to the Verizon
2013 Data Breach Investigation Report, 69 percent of breaches analyzed
in the report were discovered by external parties, and 66 percent of
breaches took months or longer to discover.
Visit the InfoSec News Security Bookstore
Best Selling Security Books and More!
- Possible breach of DHS employee data has an unusual twist InfoSec News (Jun 04)