Security Experts:

Connect with us

Hi, what are you looking for?



DHS Says Software Vulnerability Put Sensitive Employee Information At Risk

The Department of Homeland Security warned its employees their personal data may have been exposed as a result of a vulnerability in the software used by a DHS vendor to gather and store sensitive personally identifiable information (PII).

The Department of Homeland Security warned its employees their personal data may have been exposed as a result of a vulnerability in the software used by a DHS vendor to gather and store sensitive personally identifiable information (PII).

A software application used by a DHS vendor had a vulnerability which, if exploited, could allow unauthorized users to access stored data, DHS said in an alert released this week. The flaw potentially exposed user information, including name, Social Security number, and date of birth, stored in that database. Other information provided in the SF-86, the standard security questionnaire, was not accessible. DHS has seen no evidence that any unauthorized user managed to access any personal data, but is still investigating.

“Out of abundance of caution, DHS is alerting employees and individuals who received a DHS clearance, of the potential vulnerability,” the agency said in the alert.

DHS LogoThe software gathers and stores sensitive personally identifiable information used for conducting background investigations. Employees and contractors who submitted information for a background investigation, and people who received a DHS clearance, between July 2009 and May 2013 may have been affected. The bulk of affected individuals were part of DHS headquarters, US Customs and Border Protection, and Immigration and Customs Enforcement, according to the alert.

“Since many organizations have hardened defense mechanisms against direct attacks targeting their front-office applications or network infrastructure, hackers are increasingly focusing on the IT supply chain as a new attack vector,” Torsten George, vice-president of IT risk management at Agiliance, told SecurityWeek.

It appears a law enforcement agency contacted DHS about the potential vulnerability. As has been shown time and time again, organizations frequently learn about breaches from third-parties, not from their own monitoring efforts.

The vulnerability, which has since been addressed, appears to have been present since July 2009.

“This vulnerability disclosure by the Department of Homeland Security is the latest example of the need for government agencies and enterprises to monitor and manage IT security risks downstream in the software supply chain,” said George.

U.S. Customs and Border Protection has already issued a stop work and cure notice to the vendor, and DHS is evaluating all legal options about pursuing costs incurred while mitigating the damages, according to the alert. DHS is also reviewing contracts with other vendors who provide similar services to ensure they are taking necessary steps to protect PII.

“As cyber-attacks against the software supply chain increase, we expect organizations to extend their vulnerability assessments beyond vendor risk surveys and have third-party service providers test software applications prior to procurement and deployment,” George said.

Employees should take steps to protect themselves, including requesting fraud alerts and a credit report to check recent activity. DHS is working with the vendor to determine how to contact current contractors, inactive applicants, and former employees and contractors.

Employees who may have been affected or have questions can contact the call center at 1-855-891-2739 or email [email protected]

Written By

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.


Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.