US flag signifying that this is a United States Federal Government website   Official website of the Department of Homeland Security

Homeland Security

Privacy Response to Potential PII Incident

The Department of Homeland Security (DHS) has recently learned of a vulnerability that existed in the software used by a DHS vendor to process personnel security investigations.  The software gathers and stores sensitive personally identifiable information (PII) for background investigations.  As a result of this vulnerability, information including name, Social Security numbers (SSN) and date of birth (DOB), stored in the vendor’s database of background investigations was potentially accessible by an unauthorized user.  At the direction of DHS, the vulnerability was immediately addressed. While there is no evidence that any unauthorized user accessed any personally identifiable information, out of abundance of caution, DHS is alerting employees and individuals who received a DHS clearance, of the potential vulnerability and outlining ways that they can protect themselves, including requesting fraud alerts and a credit report. DHS takes its responsibility to safeguard PII seriously and that information is protected. 

CBP has issued a stop work and cure notice to the vendor based on its contract. DHS is evaluating all legal options and is engaged with the vendor’s leadership to pursue all costs incurred mitigating the damages.

During the week of May 20, 2013, DHS is alerting employees of the potential vulnerability and outlining ways that they can protect themselves, including requesting fraud alerts and credit reports.  The Department is also working with the vendor on notification requirements for current contractors, inactive applicants, and former employees and contractors.  To ensure that affected individuals’ concerns are addressed, DHS has stood up a call center in conjunction with notifications.  To reach the call center, please contact 1-855-891-2739 between 8 am and 8 pm EST or privacyhelp@dhs.gov.   

Potentially affected individuals can protect themselves by requesting that a fraud alert be placed on their credit file to let potential creditors know to contact them before opening a new account in their name. Potentially affected individuals call any one of the three credit reporting agencies at the phone numbers listed below. The company contacted will contact the other two credit reporting agencies on the individuals behalf to have the fraud alert placed on their file. 
 

  • Equifax:  (800) 525-6285
  • Experian:  (888) 397-3742
  • TransUnion: (800) 680-7289

Once an individual places a fraud alert, they will receive information on how to order a free credit report.  Note: this free credit report is separate from the free annual credit report individuals are entitled to once a year.  If individuals would like additional information about protecting their information from identity theft, or if they have been a victim of identity theft, please visit the Federal Trade Commission’s website at www.ftc.gov/idtheft

Frequently Asked Questions
 

1. How did this breach occur?

The Department of Homeland Security (DHS) was recently informed of a vulnerability that existed in the software used by a DHS vendor to gather and store sensitive personally identifiable information (PII) to process personnel security investigations.  As a result of this vulnerability, information including name, Social Security numbers (SSN) and date of birth (DOB), stored in the vendor’s database of background investigations was potentially accessible by an unauthorized user since July 2009. While there is no evidence that any unauthorized user accessed any personally identifiable information, out of abundance of caution, DHS has alerted employees of the potential vulnerability and outlined ways that they can protect themselves, including requesting fraud alerts and credit reports.

2. How did DHS learn about the vulnerability?  

DHS was alerted by a law enforcement partner of the potential vulnerability. At the direction of DHS, the vulnerability was immediately addressed. While there is currently no evidence that any unauthorized user accessed any personally identifiable information, DHS is actively investigating to determine what, if any, PII may have been accessed by unauthorized individuals. 

3. Which DHS employees and contractors were impacted by the unauthorized access?

DHS believes that employees and contractors who submitted background investigation information, and individuals who received a DHS clearance, between July 2009 and May 2013, primarily for positions at DHS HQ, Customs and Border Protection (CBP), and Immigration and Customs Enforcement (ICE), may be affected. While at this time, there is no evidence that any unauthorized user accessed any personally identifiable information, applicants’ names, Social Security numbers (SSN), and date of birth (DOB) may have been accessible. 

4. What sort of PII was potentially accessed?

There is currently no evidence that any unauthorized user accessed any personally identifiable information.  The categories of potentially accessible information included name, Social Security number, and date of birth. 

5. How can individuals affected by the breach protect themselves?

Employees can protect themselves by requesting that a fraud alert be placed on their credit file to let potential creditors know to contact them before opening a new account in their name. The company you contact will contact the other two credit bureaus on the employee’s behalf to have the fraud alert placed on their file. 

  • Equifax:  (800) 525-6285
  • Experian:  (888) 397-3742
  • TransUnion: (800) 680-7289

Once the employee places a fraud alert, they will receive information on how to order a free credit report.  Note: this free credit report is separate from the free annual credit report you are entitled to once a year. If employees would like additional information about protecting their information from identity theft, or if they have been a victim of identity theft, they should visit the Federal Trade Commission’s website at www.ftc.gov/idtheft

6. What information was accessed?

There is currently no evidence that any unauthorized user accessed any personally identifiable information.  The categories of potentially accessible information included name, Social Security number, and date of birth.  DHS has determined that other information provided in the SF-86, the standard security questionnaire, was not accessible.

7. Do I need to alert my contacts that were provided for my background investigation in case their information was breached as well?

Based on DHS’ investigation to date, we have no reason to believe such steps are needed.  The software vulnerability did not permit access to the actual Standard Form 86, which contains information provided about other individuals for the investigatory process.

8. What precautions have been taken since the breach? 

DHS takes its responsibility to safeguard PII seriously and has taken steps to ensure that information is protected.  At the direction of DHS, the vulnerability was immediately addressed. While there is no evidence that any unauthorized user accessed any personally identifiable information, out of abundance of caution,  DHS is alerting employees of the potential vulnerability and outlining ways that they can protect themselves, including requesting fraud alerts and credit report.

DHS is evaluating all legal options and is engaged with the vendor to pursue all available remedies.  

9. Will DHS continue to work with this vendor?

CBP has issued a stop work and cure notice to the vendor. DHS is evaluating all legal options and is engaged with the vendor to pursue all available remedies.  
 

10. What is DHS doing for non-DHS employees who are potentially affected?

DHS is making every possible effort to reach out to former employees, applicants, former contractors, and similar individuals who received a DHS clearance that may be impacted. 

11. Have any lessons been learned from this that will impact other contracts with security vendors?

DHS takes its responsibility to protect PII seriously. Contracts with security vendors who provide the same type of services as the vendor in question are being reviewed to ensure all necessary requirements for protecting PII are incorporated and that compliance mechanisms and incident response are included.

Last Published Date: May 23, 2013
Back to Top