Privacy Incident Involving DHS Office of Inspector General Case Management System

On January 3, 2018, select DHS employees received notification letters that they may have been impacted by a privacy incident related to the DHS Office of Inspector General (OIG) Case Management System.  The privacy incident did not stem from a cyber-attack by external actors, and the evidence indicates that affected individual’s personal information was not the primary target of the unauthorized unauthorized transfer of data.

Message Received by Affected DHS Employees
This message is to inform you of a privacy incident involving a database used by the Department of Homeland Security’s (DHS) Office of the Inspector General (OIG).  You may have been impacted by this privacy incident if you were employed by DHS in 2014, or if you were associated with a DHS OIG investigation from 2002 through 2014.

On May 10, 2017, as part of an ongoing criminal investigation being conducted by DHS OIG and the U.S. Attorney’s Office, DHS OIG discovered an unauthorized copy of its investigative case management system in the possession of a former DHS OIG employee.

This privacy incident involved the release of personally identifiable information (PII) contained in the DHS OIG case management system and affects two groups of individuals. The first group consists of approximately 247,167 current and former federal employees that were employed by DHS in 2014 (the “DHS Employee Data”).  The second group is comprised of individuals (i.e., subjects, witnesses, and complainants) associated with DHS OIG investigations from 2002 through 2014 (the “Investigative Data”).

The privacy incident did not stem from a cyber-attack by external actors, and the evidence indicates that affected individual’s personal information was not the primary target of the unauthorized exfiltration.
All individuals potentially affected by this privacy incident are being offered 18 months of free credit monitoring and identity protection services. Notification letters were sent to all current and former employees who were potentially affected by the DHS Employee Data on December 18, 2017.  Due to technological limitations, DHS is unable to provide direct notice to the individuals affected by the Investigative Data. Therefore, if you were associated with a DHS OIG investigation from 2002 through 2014, you may contact AllClear ID at (855) 260-2767 for information on credit monitoring and identity protections services.

The Department of Homeland Security takes very seriously the obligation to serve the Department’s employees and is committed to protecting the information in which they are entrusted. Please be assured that we will make every effort to ensure this does not happen again.  DHS is implementing additional security precautions to limit which individuals have access to this information and will better identify unusual access patterns. We will continue to review our systems and practices in order to better secure data. DHS OIG has also implemented a number of security precautions to further secure the DHS OIG network.

We sincerely apologize for any inconvenience this may have caused.  See below for additional information you may find useful.
Sincerely,
Phillip S. Kaplan
Chief Privacy Officer
U.S. Department of Homeland Security