DHS OIG Privacy Incident Involving PII of Employees & Investigative Data

On January 3, 2018, select Department of Homeland Security (DHS) employees received notification letters from the DHS Chief Privacy Officer, Phillip S. Kaplan, to advise them that they may have been impacted by a privacy incident related to the DHS Office of Inspector General (OIG) Case Management System.

According to the Kaplan, the privacy incident did not stem from a cyber-attack by external actors, and the evidence indicates that affected individual’s personal information was not the primary target of the unauthorized unauthorized transfer of data.

Message as Received by Affected DHS Employees

This message is to inform you of a privacy incident involving a database used by the Department of Homeland Security’s (DHS) Office of the Inspector General (OIG).

You may have been impacted by this privacy incident if you were employed by DHS in 2014, or if you were associated with a DHS OIG investigation from 2002 through 2014.

On May 10, 2017, as part of an ongoing criminal investigation being conducted by DHS OIG and the U.S. Attorney’s Office, DHS OIG discovered an unauthorized copy of its investigative case management system in the possession of a former DHS OIG employee.

This privacy incident involved the release of personally identifiable information (PII) contained in the DHS OIG case management system and affects two groups of individuals.

DHS Employee Data:

• The first group consists of approximately 247,167 current and former federal employees that were employed by DHS in 2014 (the “DHS Employee Data”).

Investigative Data:

• The second group is comprised of individuals (i.e., subjects, witnesses, and complainants) associated with DHS OIG investigations from 2002 through 2014 (the “Investigative Data”).

The privacy incident did not stem from a cyber-attack by external actors, and the evidence indicates that affected individual’s personal information was not the primary target of the unauthorized exfiltration.

All individuals potentially affected by this privacy incident are being offered 18 months of free credit monitoring and identity protection services.

Notification letters were sent to all current and former employees who were potentially affected by the DHS Employee Data on December 18, 2017.

Due to technological limitations, DHS is unable to provide direct notice to the individuals affected by the Investigative Data.

Therefore, if you were associated with a DHS OIG investigation from 2002 through 2014, you may contact AllClear ID at (855) 260-2767 for information on credit monitoring and identity protections services. 

The Department of Homeland Security takes very seriously the obligation to serve the Department’s employees and is committed to protecting the information in which they are entrusted.

Please be assured that we will make every effort to ensure this does not happen again.

DHS is implementing additional security precautions to limit which individuals have access to this information and will better identify unusual access patterns.

We will continue to review our systems and practices in order to better secure data.

DHS OIG has also implemented a number of security precautions to further secure the DHS OIG network.

We sincerely apologize for any inconvenience this may have caused.  See below for additional information you may find useful.

Sincerely,

Phillip S. Kaplan
Chief Privacy Officer
U.S. Department of Homeland Security

Frequently Asked Questions:

What Information Was Compromised?

The compromised information included the personally identifiable information (PII) of two groups of individuals:

DHS Employee Data:

1. Approximately 246,167 federal government employees who were employed directly by DHS during 2014.
2. The PII for these individuals includes names, Social Security numbers, dates of birth, positions, grades, and duty stations.
3. This list of federal government employees was used by DHS OIG Office of Investigations to conduct identity confirmation during the complaint and investigative process.

Investigative Data:

1. Individuals associated with DHS OIG investigations from 2002 through 2014, which includes subjects, witnesses and complainants who were both DHS employees and non-DHS employees.
2. The PII contained in this database varies for each individual depending on the documentation and evidence collected for a given case.
3. Information contained in this database could include names, Social Security numbers, alien registration numbers, dates of birth, email addresses, phone numbers, addresses, and personal information provided in interviews with DHS OIG investigative agents.

Why Did it Take from May 2017 to December 2017 to Get a Notice Sent to Those Individuals Who Were Affected?

The investigation was complex given its close connection to an ongoing criminal investigation.

From May through November 2017, DHS conducted a thorough privacy investigation, extensive forensic analysis of the compromised data, an in-depth assessment of the risk to affected individuals, and comprehensive technical evaluations of the data elements exposed.

These steps required close collaboration with law enforcement investigating bodies to ensure the investigation was not compromised.

What Do I Need to Do?

DHS has arranged for AllClear ID to protect your identity for 18 months at no cost to you.   The following identity protection services start on the date of this notice and you can use them at any time during the next 18 months.

• AllClear Identity Repair:
  • This service is automatically available to you with no enrollment required.
  • Identity repair is intended to address issues related to credit restoration or recovery of financial losses.
  • If an issue arises, please call AllClear ID at (855) 260-2767 and a dedicated investigator will assist you.
• AllClear Credit Monitoring:
  • This service entails credit monitoring and a $1 million identity theft insurance policy.
  • To use this service, you will need to provide your personal information and the redemption code in your Notice to AllClear ID directly.
  • You may sign up online at www.enroll.allclearid.com or by calling AllClear ID at (855) 260-2767.

(The BestIDTheftCompanys.com Team reviews one of the largest identity theft protection companies in the United States. Learn powerful information about AllClear ID, from their “goods” to their “bads.” Courtesy of BIDTC Reviews and YouTube)

AllClear staff will guide you through the process.

What Else Can I Do to Protect Myself?

The Department’s Chief Privacy Officer and Chief Security Officer recommend that you help prevent unauthorized access and/or possible fraudulent activity on your financial accounts.  Below are steps you can take to protect your identity.

• Contact AllClear ID at (855) 260-2767.
• Consult Federal Trade Commission’s IdentityTheft.gov (www.identitytheft.gov/steps) website
• Determine if a credit freeze is right for you.
  • Credit freezes, also known as security freezes, make it more difficult for someone to open new accounts in your name.
  • Generally, during a credit freeze your credit information can only be accessed by your existing creditors and debt collectors.
  • Opening a new account in your name is more difficult because most institutions require a credit report to open a new account.
  • However, please note that a credit freeze may not be suitable if you anticipate obtaining a loan or line of credit in the near future (i.e., mortgage or a car loan).

Please Contact the Credit Bureaus Below for More Information.

Reach out to the three major credit bureaus regarding credit freezes and credit reports:

• TransUnion.com
  • Fraud Victim Assistance Department
  • P.O. Box 2000
  • Chester, PA 19016
    1-800-680-7289
• Equifax.com
  • P.O. Box 105069
  • Atlanta, GA 30348-5069
    1-800-525-6285
• Experian.com
  • P.O. Box 9554
  • Allen, TX 75013
    1-888-397-3742

Review your free credit report carefully.  If you find errors, take these steps:

• Dispute them yourself. You don’t need to use a credit repair service.
• By law, consumer reporting agencies and the creditors that provide the information in your credit report are responsible for correcting inaccurate or incomplete information in your report.
• If errors on your credit report seem to be the result of someone stealing your identity, go to identitytheft.gov to get personalized steps to report and recover from identity theft.

Please be alert to any phone calls, emails, and other communications from individuals claiming to be from DHS, or other official sources asking for your personal information or asking that you verify such information.

This is often referred to as information solicitation or “phishing.”

DHS will never contact you by phone and ask you to provide any sensitive/identifying information.

Did this Privacy Incident Include Information About My Spouse, Children, Other Family Members and/or Close Associates?

The 2014 DHS Employee File is a file that only contained information about individuals that were employed by DHS in 2014.

This file did not include any information about employees’ spouses, children, family members and/or close associates.

The breach of the DHS OIG Case Files included individuals associated with DHS OIG investigations.

Family members and close associates were impacted by this privacy incident only if they were involved in a DHS OIG investigation.

If you, a family member, and/or close associate believe you/they were impacted by this incident, please contact AllClear ID at (855) 260-2767 for more information on credit monitoring and identity protection services.

Does This Mean That All Employees Who Appear in the 014 DHS Employee File Are Or Were Under Investigation by DHS OIG?

No.  All employees’ information was in this file regardless of whether or not they were involved with an investigation.

You were mailed a notification because DHS determined that you were included in the 2014 DHS Employee File. 

DHS OIG runs queries against this file to confirm the identities of individuals associated with DHS OIG investigations.

In order for this search to function properly, the file must include all employees regardless of whether they are associated with an investigation.

I Believe I Was Associated With a DHS OIG Investigation From 2002 Through 2014. Am I Impacted by this Privacy Incident? What Should I Do?

You may be impacted by this privacy incident if you were associated with a DHS OIG investigation from 2002 through 2014 in any capacity including as a subject, complainant, or witness.

If you believe you were associated with a DHS OIG investigation from 2002 through 2014, please contact AllClear ID at (855) 260-2767 for more information on credit monitoring and identity protection services.

What If I Already Have Identity Theft Protection From a Prior Privacy Incident?

You may have been offered similar services in the past if you were impacted by other cybersecurity or privacy incidents.

If you are already enrolled in identity theft protection and credit monitoring services, the decision of whether to sign up for services provided by DHS is your choice. 

The Federal Trade Commission has helpful resources available on its website concerning identity theft and what steps you should take when an incident occurs https://www.ftc.gov/idtheft.

What is DHS Doing to Better Secure Employees’ PII?

DHS OIG has implemented a number of security precautions to further secure the DHS OIG network which includes:

• Placing additional limitations on which individuals have back end IT access to the case management system;
• Implementing additional network controls to better identify unusual access patterns by authorized users; and
• Performing a 360-degree review of DHS OIG’s development practices related to the case management system.