Contractor potentially compromised IDs of cleared DHS personnel

A federal vendor that helped screen DHS personnel had been using software with a “vulnerability” that could have potentially exposed to unauthorized users “information including name, Social Security numbers (SSN) and date of birth (DOB), stored in the vendor’s database of background investigations.” Homeland Security officials said the department “was recently informed” of the flaw “by a law enforcement partner.”

The system was potentially accessible since July 2009.

There is no evidence that any unauthorized user actually accessed any of the information in question.

The purpose of the software was to gather and store sensitive personal information for processing personnel security investigations. “The vendor CBP has issued a stop work and cure notice to the vendor based on its contract. DHS is evaluating all legal options and is engaged with the vendor’s leadership to pursue all costs incurred mitigating the damages.”

The compromise mainly affected individuals who received a DHS clearance, between July 2009 and May 2013, for positions at DHS headquarters, Customs and Border Protection, and Immigration and Customs Enforcement.

Out of caution, during the week of May 20, DHS alerted employees and individuals who received a DHS clearance, and outlining ways that they can protect themselves, including requesting fraud alerts and a credit report.

DHS is reviewing contracts with other security vendors who provide the same type of services to ensure all necessary requirements for protecting personal information are incorporated and that compliance mechanisms and incident response are included.