recommended reading

Exposure of DHS Employees’ Personal Data Shows Widespread Risk

Maksim Kabakou/

Law enforcement authorities tipped off the Homeland Security Department to a software error that had exposed personal details of DHS employees holding security clearances -- not the contractor responsible for protecting the data, underscoring a potential weakness in the federal procurement cycle. 

Department officials early last week notified personnel that an unnamed  security vendor had used a software program containing a “vulnerability” that could have revealed their sensitive information "including name, Social Security numbers (SSN) and date of birth (DOB), stored in the vendor’s database of background investigations.” The data had been at risk from July 2009 until recently, when DHS fixed the system. 

Organizations across all sectors, from the General Services Administration to Apple, are threatened by software flaws that go unnoticed until a hacker exploits the glitch to steal data, or a hired penetration tester finds the weakness. DHS officials declined to comment when Nextgov asked how the vulnerability was discovered, and by whom. Federal contracts often do not require penetration testing, sometimes referred to as ethical hacking. 

"That's so common. If you don't tell me that I have to do something, I’m probably not going to do it, because I make more money that way," said Chris Eng, vice president of research at software security firm Veracode. A 2011 Veracode study indicated government applications have a 40 percent higher incidence of coding mistakes that are prone to abuse than software used in other industries.

This latest tech contractor misstep comes as the Obama administration, pursuant to a February computer security executive order, considers incorporating national cyber standards into federal acquisitions. Some vendors object to procurement language that would impose certain uniform software testing methods.

In written comments filed last week, the Software and Information Industry Association urged the executive branch to steer clear of prescribing any “software assurance scheme that would establish the government as a leader in the process of developing technology, or that would create a U.S.‐centric standard." The submission went on to state the trade group "opposes any effort to micromanage the conformance‐based assurance models” that might create barriers to international trade.

It is unclear whether the DHS business agreement at issue stipulated that security testing be performed on software prior to installation, or, if built in-house, whether testing was part of the software development process. Homeland Security officials said they are revisiting all contracts with security vendors who provide the same type of services. The department wants “to ensure all necessary requirements for protecting [personal information] are incorporated and that compliance mechanisms and incident response are included,” according to a DHS statement.

The Pentagon is at risk of programming exploits as well. Amid high-profile hacks facilitated by design flaws in computer code, a policy codified by the 2013 National Defense Authorization Act will require military software suppliers to follow new testing rules

DHS officials said the department recently learned of the glitch from "a law enforcement partner." They added: "There is no evidence that any unauthorized user accessed any personally identifiable information." Eng speculated authorities might have discovered merely the existence of the flaw while monitoring online forums where hackers tend to sell or share software vulnerabilities. The vague statement does not eliminate the possibility that a bad actor collected actual data without leaving a trail.

"If you parse the words carefully -- they are also not saying they have conclusively ruled it out. It's ambiguous wording. It's wording that is used frequently," he said. "It's not always possible for them to tell at that level of detail what was or was not breached."

Earlier this year, a user of an online federal contracting registry found a way of bypassing security controls to see every awardee’s personal and proprietary data, prompting the government to alert registrants about possible fraud, according to GSA, the system’s owner. IBM, the contractor operating the database, called the System for Award Management, or SAM, failed to detect the issue.  

After both departments’ security incidents, agency officials recommended that individuals affected place a fraud alert on their credit files. 

Consumer technology companies have also recently stumbled upon software defects, to their dismay. TwitterFacebook and Apple disclosed intrusions, reportedly perpetrated when their employees visited an infected software developer website that then passed on the malware to their machines. Shortly afterward, Microsoft confirmed its corporate systems also had suffered similar compromises. 

(Image via Maksim Kabakou/

Threatwatch Alert

Stolen credentials

Hackers Steal $31M from Russian Central Bank

See threatwatch report


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security


When you download a report, your information may be shared with the underwriters of that document.