DHS has received new information about this privacy incident that clarifies the impacted population:
- If you received a written notification from Philip S. Kaplan, you were part of a finite list of approximately 246,167 DHS employees. Most but not all of the DHS employees on this list were employed by DHS in 2014, however, some may have been employed by DHS in other years. The written notice you received incorrectly identified the year in which an affected person may have been employed by DHS as 2014. This update does not change your inclusion on the list of affected individuals.
- You may also have been affected if you were associated with a DHS OIG investigation from 2002 through 2017. This population was previously indicated as being from 2002 -2014. Due to technological limitations, DHS is unable to provide direct notice to these individuals.
Please refer to the updated FAQs below for more information and guidance.
Release Date: January 3, 2018
On January 3, 2018, select DHS employees received notification letters that they may have been impacted by a privacy incident related to the DHS Office of Inspector General (OIG) Case Management System. The privacy incident did not stem from a cyber-attack by external actors, and the evidence indicates that affected individual’s personal information was not the primary target of the unauthorized unauthorized transfer of data.
Message Received by Affected DHS Employees
This message is to inform you of a privacy incident involving a database used by the Department of Homeland Security’s (DHS) Office of the Inspector General (OIG). You may have been impacted by this privacy incident if you were employed by DHS in 2014, or if you were associated with a DHS OIG investigation from 2002 through 2014.
On May 10, 2017, as part of an ongoing criminal investigation being conducted by DHS OIG and the U.S. Attorney’s Office, DHS OIG discovered an unauthorized copy of its investigative case management system in the possession of a former DHS OIG employee.
This privacy incident involved the release of personally identifiable information (PII) contained in the DHS OIG case management system and affects two groups of individuals. The first group consists of approximately 247,167 current and former federal employees that were employed by DHS in 2014 (the “DHS Employee Data”). The second group is comprised of individuals (i.e., subjects, witnesses, and complainants) associated with DHS OIG investigations from 2002 through 2014 (the “Investigative Data”).
The privacy incident did not stem from a cyber-attack by external actors, and the evidence indicates that affected individual’s personal information was not the primary target of the unauthorized exfiltration.
All individuals potentially affected by this privacy incident are being offered 18 months of free credit monitoring and identity protection services. Notification letters were sent to all current and former employees who were potentially affected by the DHS Employee Data on December 18, 2017. Due to technological limitations, DHS is unable to provide direct notice to the individuals affected by the Investigative Data. Therefore, if you were associated with a DHS OIG investigation from 2002 through 2014, you may contact AllClear ID at (855) 260-2767 for information on credit monitoring and identity protections services.
The Department of Homeland Security takes very seriously the obligation to serve the Department’s employees and is committed to protecting the information in which they are entrusted. Please be assured that we will make every effort to ensure this does not happen again. DHS is implementing additional security precautions to limit which individuals have access to this information and will better identify unusual access patterns. We will continue to review our systems and practices in order to better secure data. DHS OIG has also implemented a number of security precautions to further secure the DHS OIG network.
We sincerely apologize for any inconvenience this may have caused. See below for additional information you may find useful.
Philip S. Kaplan
Chief Privacy Officer
U.S. Department of Homeland Security
Updated: January 18, 2018
I received a notice letter that states the DHS Employee List included individuals employed by DHS in 2014. I was not employed by DHS in 2014. Am I still affected by this privacy incident?
If you received a letter, DHS has confirmed that your personal information was included in this privacy incident regardless of when you were employed by DHS. The DHS OIG investigation identified a list of individuals employed directly by DHS in 2014. In addition to this specific list, DHS OIG later discovered the names and PII of individuals employed by DHS in various years before and after 2014 that were compiled into a second list. Notice was provided to all DHS employees whose names and PII were found on the aforementioned lists during the DHS OIG investigation. Earlier communications and notice letters mistakenly stated that individuals affected by the breach were employed by DHS exclusively in 2014. While the majority of the affected individuals whose names and PII were included in this privacy incident were employed by DHS in 2014, the population of affected individuals also includes individuals employed by DHS in other years. DHS OIG sincerely apologizes for this error and any confusion it may have caused.
What information was compromised?
The compromised information included the personally identifiable information (PII) of two groups of individuals:
- DHS Employee Data: Approximately 246,167 federal government employees who were employed directly by DHS. Most of these individuals were employed by DHS during 2014. However, this data may include some individuals that were employed by DHS in other years. The PII for these individuals includes names, Social Security numbers, dates of birth, positions, grades, and duty stations. This list of federal government employees was used by DHS OIG Office of Investigations to conduct identity confirmation during the complaint and investigative process.
- Investigative Data: Individuals associated with DHS OIG investigations from 2002 through early 2017, which includes subjects, witnesses and complainants who were both DHS employees and non-DHS employees. The PII contained in this database varies for each individual depending on the documentation and evidence collected for a given case. Information contained in this database could include names, Social Security numbers, alien registration numbers, dates of birth, email addresses, phone numbers, addresses, and personal information provided in interviews with DHS OIG investigative agents.
Why did it take from May 2017 to December 2017 to get a notice sent to those individuals who were affected?
The investigation was complex given its close connection to an ongoing criminal investigation. From May through November 2017, DHS conducted a thorough privacy investigation, extensive forensic analysis of the compromised data, an in-depth assessment of the risk to affected individuals, and comprehensive technical evaluations of the data elements exposed. These steps required close collaboration with law enforcement investigating bodies to ensure the investigation was not compromised.
What do I need to do?
DHS has arranged for AllClear ID to protect your identity for 18 months at no cost to you. The following identity protection services start on the date of this notice and you can use them at any time during the next 18 months.
- AllClear Identity Repair: This service is automatically available to you with no enrollment required. Identity repair is intended to address issues related to credit restoration or recovery of financial losses. If an issue arises, please call AllClear ID at (855) 260-2767 and a dedicated investigator will assist you.
- AllClear Credit Monitoring: This service entails credit monitoring and a $1 million identity theft insurance policy. To use this service, you will need to provide your personal information and the redemption code in your Notice to AllClear ID directly. You may sign up online at www.enroll.allclearid.com or by calling AllClear ID at (855) 260-2767.
After contacting AllClear, you will need to take additional steps in order to activate your phone alerts and other monitoring options available to you. AllClear staff will guide you through the process.
What else can I do to protect myself?
The Department’s Chief Privacy Officer and Chief Security Officer recommend that you help prevent unauthorized access and/or possible fraudulent activity on your financial accounts. Below are steps you can take to protect your identity.
- Consult Federal Trade Commission’s IdentityTheft.gov website
- Determine if a credit freeze is right for you. Credit freezes, also known as security freezes, make it more difficult for someone to open new accounts in your name. Generally, during a credit freeze your credit information can only be accessed by your existing creditors and debt collectors. Opening a new account in your name is more difficult because most institutions require a credit report to open a new account. However, please note that a credit freeze may not be suitable if you anticipate obtaining a loan or line of credit in the near future (i.e., mortgage or a car loan). Please contact the credit bureaus below for more information.
- Reach out to the three major credit bureaus regarding credit freezes and credit reports:
- Review your free credit report carefully. If you find errors, take these steps:
- Dispute them yourself. You don’t need to use a credit repair service. By law, consumer reporting agencies and the creditors that provide the information in your credit report are responsible for correcting inaccurate or incomplete information in your report.
- If errors on your credit report seem to be the result of someone stealing your identity, go to identitytheft.gov to get personalized steps to report and recover from identity theft.
Please be alert to any phone calls, emails, and other communications from individuals claiming to be from DHS, or other official sources asking for your personal information or asking that you verify such information. This is often referred to as information solicitation or “phishing.” DHS will never contact you by phone and ask you to provide any sensitive/identifying information.
Did this privacy incident include information about my spouse, children, other family members and/or close associates?
The DHS Employee File is a file that only contained information about individuals that were employed directly by DHS. This file did not include any information about employees’ spouses, children, family members and/or close associates.
The breach of the DHS OIG Case Files included individuals associated with DHS OIG investigations. Family members and close associates were impacted by this privacy incident only if they were involved in a DHS OIG investigation. If you, a family member, and/or close associate believe you/they were impacted by this incident, please contact AllClear ID at (855) 260-2767 for more information on credit monitoring and identity protection services.
Does this mean that all employees who appear in the DHS Employee File are or were under investigation by DHS OIG?
No. All employees’ information was in this file regardless of whether or not they were involved with an investigation. You were mailed a notification because DHS determined that you were included in the DHS Employee File. DHS OIG runs queries against this file to confirm the identities of individuals associated with DHS OIG investigations. In order for this search to function properly, the file must include all employees regardless of whether they are associated with an investigation.
I believe I was associated with a DHS OIG investigation from 2002 through 2017. Am I impacted by this privacy incident? What should I do?
You may be impacted by this privacy incident if you were associated with a DHS OIG investigation from 2002 through 2017 in any capacity including as a subject, complainant, or witness. If you believe you were associated with a DHS OIG investigation from 2002 through 2017, please contact AllClear ID at (855) 260-2767 for more information on credit monitoring and identity protection services.
What if I already have identity theft protection from a prior privacy incident?
You may have been offered similar services in the past if you were impacted by other cybersecurity or privacy incidents. If you are already enrolled in identity theft protection and credit monitoring services, the decision of whether to sign up for services provided by DHS is your choice. The Federal Trade Commission has helpful resources available on its website concerning identity theft and what steps you should take when an incident occurs https://www.ftc.gov/idtheft.
What is DHS doing to better secure employees’ PII?
DHS OIG has implemented a number of security precautions to further secure the DHS OIG network which includes:
- Placing additional limitations on which individuals have back end IT access to the case management system;
- Implementing additional network controls to better identify unusual access patterns by authorized users; and
- Performing a 360-degree review of DHS OIG’s development practices related to the case management system.