The Department of Homeland Security warned its employees their personal data may have been exposed as a result of a vulnerability in the software used by a DHS vendor to gather and store sensitive personally identifiable information (PII).
A software application used by a DHS vendor had a vulnerability which, if exploited, could allow unauthorized users to access stored data, DHS said in an alert released this week. The flaw potentially exposed user information, including name, Social Security number, and date of birth, stored in that database. Other information provided in the SF-86, the standard security questionnaire, was not accessible. DHS has seen no evidence that any unauthorized user managed to access any personal data, but is still investigating.
“Out of abundance of caution, DHS is alerting employees and individuals who received a DHS clearance, of the potential vulnerability,” the agency said in the alert.
The software gathers and stores sensitive personally identifiable information used for conducting background investigations. Employees and contractors who submitted information for a background investigation, and people who received a DHS clearance, between July 2009 and May 2013 may have been affected. The bulk of affected individuals were part of DHS headquarters, US Customs and Border Protection, and Immigration and Customs Enforcement, according to the alert.
“Since many organizations have hardened defense mechanisms against direct attacks targeting their front-office applications or network infrastructure, hackers are increasingly focusing on the IT supply chain as a new attack vector,” Torsten George, vice-president of IT risk management at Agiliance, told SecurityWeek.
It appears a law enforcement agency contacted DHS about the potential vulnerability. As has been shown time and time again, organizations frequently learn about breaches from third-parties, not from their own monitoring efforts.
The vulnerability, which has since been addressed, appears to have been present since July 2009.
“This vulnerability disclosure by the Department of Homeland Security is the latest example of the need for government agencies and enterprises to monitor and manage IT security risks downstream in the software supply chain,” said George.
U.S. Customs and Border Protection has already issued a stop work and cure notice to the vendor, and DHS is evaluating all legal options about pursuing costs incurred while mitigating the damages, according to the alert. DHS is also reviewing contracts with other vendors who provide similar services to ensure they are taking necessary steps to protect PII.
“As cyber-attacks against the software supply chain increase, we expect organizations to extend their vulnerability assessments beyond vendor risk surveys and have third-party service providers test software applications prior to procurement and deployment,” George said.
Employees should take steps to protect themselves, including requesting fraud alerts and a credit report to check recent activity. DHS is working with the vendor to determine how to contact current contractors, inactive applicants, and former employees and contractors.
Employees who may have been affected or have questions can contact the call center at 1-855-891-2739 or email [email protected]