The personally identifying information of 247, 167 current and former employees of the Department of Homeland Security was compromised in a data breach last year. DHS notified the current and former employees affected by letter in December 2017 and disclosed the breach in a public posting on January 3, 2018:
“This message is to inform you of a privacy incident involving a database used by the Department of Homeland Security’s (DHS) Office of the Inspector General (OIG). You may have been impacted by this privacy incident if you were employed by DHS in 2014, or if you were associated with a DHS OIG investigation from 2002 through 2014. “
The data breach was discovered in May 2017 during a criminal investigation conducted by the DHS Office of the Inspector General and the U.S. Attorney’s Office. Investigators found a former DHS OIG employee possessed an unauthorized copy of its investigative case management system.
DHS OIG investigators did not just find a copy of the personal data, they found an unauthorized copy of its investigative case management system in the hands of a former employee.
This data breach was not a cyber attack from some unknown hacker, malware or ransomware. The system was breached by an insider, and the employee did not merely download data and store it without authorization, they had a copy of the whole program.
As reported by the New York Times, it turns out there were three subjects, all former DHS OIG employees, who planned to modify the OIG case management system software and then repackage and sell it to other federal IG officers. (https://www.nytimes.com/2017/11/28/us/politics/homeland-security-personal-data-software-stolen.html). As the authorities put it, this is a
case where the cops became the robbers.
This case is also a good reminder that your information security and intellectual property is at the mercy of the people you trust as well as people you don’t. Not all insider threats are as blatant as a conspiracy by employees to pirate the employer’s software. In fact, most are due to human error rather than a nefarious plot.
Just remember that good security practices require you to have a plan to mitigate and recover from insiders as well as outsiders.