Privacy Incident Involving DHS OIG Case Management System (Update)
Privacy Incident Involving DHS OIG Case Management System (Update)
01-18-2018 07:37 AM Release Date: January 18, 2018 DHS has received new information about this privacy incident that clarifies the impacted population:
Original Message Release Date:* January 3, 2018 On January 3, 2018, select DHS employees received notification letters that they may have been impacted by a privacy incident related to the DHS Office of Inspector General (OIG) Case Management System.* The privacy incident did not stem from a cyber-attack by external actors, and the evidence indicates that affected individual’s personal information was not the primary target of the unauthorized unauthorized transfer of data. Message Received by Affected DHS Employees This message is to inform you of a privacy incident involving a database used by the Department of Homeland Security’s (DHS) Office of the Inspector General (OIG).* You may have been impacted by this privacy incident if you were employed by DHS in 2014, or if you were associated with a DHS OIG investigation from 2002 through 2014.* On May 10, 2017, as part of an ongoing criminal investigation being conducted by DHS OIG and the U.S. Attorney’s Office, DHS OIG discovered an unauthorized copy of its investigative case management system in the possession of a former DHS OIG employee. This privacy incident involved the release of personally identifiable information (PII) contained in the DHS OIG case management system and affects two groups of individuals. The first group consists of approximately 247,167 current and former federal employees that were employed by DHS in 2014 (the “DHS Employee Data”).* The second group is comprised of individuals (i.e., subjects, witnesses, and complainants) associated with DHS OIG investigations from 2002 through 2014 (the “Investigative Data”). The privacy incident did not stem from a cyber-attack by external actors, and the evidence indicates that affected individual’s personal information was not the primary target of the unauthorized exfiltration. All individuals potentially affected by this privacy incident are being offered 18 months of free credit monitoring and identity protection services. Notification letters were sent to all current and former employees who were potentially affected by the DHS Employee Data on December 18, 2017.* Due to technological limitations, DHS is unable to provide direct notice to the individuals affected by the Investigative Data. Therefore, if you were associated with a DHS OIG investigation from 2002 through 2014, you may contact AllClear ID at (855) 260-2767 for information on credit monitoring and identity protections services.* The Department of Homeland Security takes very seriously the obligation to serve the Department’s employees and is committed to protecting the information in which they are entrusted. Please be assured that we will make every effort to ensure this does not happen again.* DHS is implementing additional security precautions to limit which individuals have access to this information and will better identify unusual access patterns. We will continue to review our systems and practices in order to better secure data. DHS OIG has also implemented a number of security precautions to further secure the DHS OIG network. We sincerely apologize for any inconvenience this may have caused.* See below for additional information you may find useful. Sincerely, Philip S. Kaplan Chief Privacy Officer U.S. Department of Homeland Security Frequently Asked Questions Updated: January 18, 2018 I received a notice letter that states the DHS Employee List included individuals employed by DHS in 2014.* I was not employed by DHS in 2014.* Am I still affected by this privacy incident?* If you received a letter, DHS has confirmed that your personal information was included in this privacy incident regardless of when you were employed by DHS.* The DHS OIG investigation identified a list of individuals employed directly by DHS in 2014.* In addition to this specific list, DHS OIG later discovered the names and PII of individuals employed by DHS in various years before and after 2014 that were compiled into a second list.* Notice was provided to all DHS employees whose names and PII were found on the aforementioned lists during the DHS OIG investigation.* Earlier communications and notice letters mistakenly stated that individuals affected by the breach were employed by DHS exclusively in 2014.* While the majority of the affected individuals whose names and PII were included in this privacy incident were employed by DHS in 2014, the population of affected individuals also includes individuals employed by DHS in other years.* DHS OIG sincerely apologizes for this error and any confusion it may have caused. What information was compromised? The compromised information included the personally identifiable information (PII) of two groups of individuals:
The investigation was complex given its close connection to an ongoing criminal investigation.* From May through November 2017, DHS conducted a thorough privacy investigation, extensive forensic analysis of the compromised data, an in-depth assessment of the risk to affected individuals, and comprehensive technical evaluations of the data elements exposed.* These steps required close collaboration with law enforcement investigating bodies to ensure the investigation was not compromised. What do I need to do? DHS has arranged for AllClear ID to protect your identity for 18 months at no cost to you.** The following identity protection services start on the date of this notice and you can use them at any time during the next 18 months.
What else can I do to protect myself? The Department’s Chief Privacy Officer and Chief Security Officer recommend that you help prevent unauthorized access and/or possible fraudulent activity on your financial accounts.* Below are steps you can take to protect your identity.*
Did this privacy incident include information about my spouse, children, other family members and/or close associates? The DHS Employee File is a file that only contained information about individuals that were employed directly by DHS.* This file did not include any information about employees’ spouses, children, family members and/or close associates. The breach of the DHS OIG Case Files included individuals associated with DHS OIG investigations.* Family members and close associates were impacted by this privacy incident only if they were involved in a DHS OIG investigation.* If you, a family member, and/or close associate believe you/they were impacted by this incident, please contact AllClear ID at (855) 260-2767 for more information on credit monitoring and identity protection services.******* Does this mean that all employees who appear in the DHS Employee File are or were under investigation by DHS OIG? No.* All employees’ information was in this file regardless of whether or not they were involved with an investigation.* You were mailed a notification because DHS determined that you were included in the DHS Employee File.* DHS OIG runs queries against this file to confirm the identities of individuals associated with DHS OIG investigations.* In order for this search to function properly, the file must include all employees regardless of whether they are associated with an investigation. I believe I was associated with a DHS OIG investigation from 2002 through 2017.* Am I impacted by this privacy incident?* What should I do? You may be impacted by this privacy incident if you were associated with a DHS OIG investigation from 2002 through 2017 in any capacity including as a subject, complainant, or witness.* If you believe you were associated with a DHS OIG investigation from 2002 through 2017, please contact AllClear ID at (855) 260-2767 for more information on credit monitoring and identity protection services. What if I already have identity theft protection from a prior privacy incident? You may have been offered similar services in the past if you were impacted by other cybersecurity or privacy incidents.* If you are already enrolled in identity theft protection and credit monitoring services, the decision of whether to sign up for services provided by DHS is your choice.* The Federal Trade Commission has helpful resources available on its website concerning identity theft and what steps you should take when an incident occurs https://www.ftc.gov/idtheft. What is DHS doing to better secure employees’ PII? DHS OIG has implemented a number of security precautions to further secure the DHS OIG network which includes:
Topics: Cybersecurity, DHS Enterprise Keywords: employee, employee resources http://www.patriotfiles.com/forum/iipcache/878902.png More... |
All times are GMT -7. The time now is 08:32 AM. |
Powered by vBulletin, Jelsoft Enterprises Ltd.