The Department of Homeland Security this week began notifying up to tens of thousands of employees, contractors and others with a DHS security clearance that their personal data may be at risk.
The notifications began on Monday, according to an online statement, after officials learned of a vulnerability in software used by a vendor to process personnel background investigations. The security vulnerability apparently has existed since July 2009 and the exposed data includes names, Social Security numbers and dates of birth. The security hole was sealed immediately.
“While there is no evidence that any unauthorized user accessed any personally identifiable information, [but] out of abundance of caution, DHS is alerting employees and individuals who received a DHS clearance of the potential vulnerability and outlining ways that they can protect themselves, including requesting fraud alerts and a credit report,” the agency said.
Those impacted include employees and contractors who submitted background investigation information and anyone else seeking a DHS clearance between July 2009 and May 2013, especially applicants or employees at headquarters, Customs and Border Protection and Immigration and Customs Enforcement.
It was a law enforcement partner who alerted the DHS to the vulnerability in the vendor’s database software. Although DHS does not name the vendor it did say it has issued a “stop work and cure order” and is looking into legal recourse to be financially compensated for damages related to the breach.
Although DHS did not indicate how many people were at risk, a report from Federal News Radio said tens of thousands were potentially impacted.
The agency stressed in the alert that there’s no evidence the sensitive data was illegally accessed. It also mentions that answers to a security questionnaire required of DHS workers, applicants and affiliates were still secure.