The breach also affected non-DHS employees who communicated with the department’s inspector general.
Personal information about more than 247,000 Homeland Security Department employees and other people connected with the agency was compromised in 2014, the department’s internal auditor said Wednesday.
In May, the Homeland Security inspector general’s office found a copy of its investigative case management system—and the reams of personal information it contained—in the possession of a former inspector general’s office employee, according to a department statement.
Inspectors found the case management system as part of a criminal investigation but did not say if the former employee is the target of that investigation.
The statement also did not provide details about how the system ended up in the former employee’s possession except to say that it was not the result of a third-party cyberattack and that other employees’ personal information was not the target of the “unauthorized exfiltration.”
USA Today described the breach in November based on leaked documents but Homeland Security did not confirm the breach at that time.
The case management system contained personal information on 247,167 Homeland Security employees who worked for the department when the information was removed in 2014, the department said.
It also contained information about non-employees who were subjects, witnesses or complainants in inspector general investigations between 2002 and 2014, the department said. The statement does not say how many non-employees were in that group.
The department is “implementing additional security precautions to limit which individuals have access to this information and will better identify unusual access patterns” in the future, according to the statement.
The statement did not describe what personal information was compromised. Personal information can range from less sensitive information, such as names and phone numbers, to highly sensitive information, such as Social Security numbers and financial data.
The department is offering free credit monitoring to employees and other people whose information was compromised. Employees were informed about the breach in a Wednesday letter, but the department won’t directly notify non-employees because of “technological limitations.”
The notice includes a contact number for non-employees who were associated with Homeland Security inspector general investigations to request credit monitoring.
Security experts have often said credit monitoring is less effective at preventing criminals from profiting off your leaked information than other steps such as freezing your credit.
“The Department of Homeland Security takes very seriously the obligation to serve the Department’s employees and is committed to protecting the information [with] which they are entrusted,” the notice states.