google-site-verification: google30a059f9a075f398.html

Commentary: DHS breach of 247,167 employee records illustrates mislabeling and handling of today’s cyber security practices

CyberWisdom Safe Harbor Commentary:

Commentary: DHS breach of 247,167 employee records illustrates mislabeling and handling of today’s cyber security practices

This Safe Harbor Commentary is on the breach of data by an insider, handling of mislabeling the case, has damaged public and employee trust in DHS as Safe Harbor in Cyber for the Federal government. and security, and cyber data breach reporting.

DHS Data Breach
DHS Security Data Breach

DHS Cyber Breach Story Summary:

Recap on my recent post, DHS Office of Inspector General Case Management System Privacy incident shows 246,167 Federal Government employees’ personal sensitive information and the DHS believes that such cyber attacks are not made by outside actors. The incident disclosed the personally identifiable information of these individuals, including their names, social security numbers, date of birth, positions, grade and duty station. The impact of data breaches only affected when employed by the Department of Homeland Security in 2014 or with the Department of Homeland Security OIG survey 2002-2014. Discovery of Unauthorized Activities On May 10, 2017, when DHS conducted a criminal investigation by DHS OIG and the United States In this survey, Homeland Security OIG found a copy of an unauthorized system of investigative case management owned by former OIG employees at DHS.

This month, the Department of Homeland Security informed affected employees of 247,167 employee records in 2014. There are many interesting details about departmental disclosures, including a six-month privacy investigation of violations and notifications, and records found during criminal investigations. The Department of Homeland Security even said it was in the hands of the former Office of the Inspector General of the Department of Homeland Security.

But the most prominent part is how the Department of Homeland Security describes the situation as a “privacy event.” In a public statement, although the record was found, the department did not mention that the incident was a former employee of an internal threat.

Furthermore…

This Incident has been identified in 2 group category. first group incident consists of approximately 247,167 current and former federal employees that were employed by DHS in 2014.

The second group is comprised of individuals (i.e., subjects, witnesses, and complainants) associated with DHS OIG investigations from 2002 through 2014 (the “Investigative Data”).

According to the information provided by the Office, “there is evidence that the personal information of affected individuals is not the primary goal of unauthorized data transfer without authorization.”

In addition, according to the New York Times, stole the OIG’s computer system with the plan to “modify the proprietary software for managing investigative and disciplinary cases, so that they could market and sell it to other inspector general offices across the federal government.”

Second, the Department of Homeland Security is providing 18 months of free credit monitoring and identity protection to all individuals who may be affected by the incident.

THIS TOKEN COMPENSATION IS  NOT BE ENOUGH TO COMPENSATE THE PERSONAL AND NATIONAL SECURITY ENDANGERMENT TO BE PLACED TO EMPLOYEES AND FORMER EMPLOYEES  FOR YEARS TO COME IF THESE SENSITIVE DATA IS SPREAD OUT IN THE WILD FOR MONETARY GAIN!

Proper Breach Category: Cyber Incident with Intent

If the NY Times quote is true, then the case may be mislabeled and should be categorized as an insider cyber incident with the intent to distribute or steal sensitive data. We should not question that the Department of Homeland Security calls this a “privacy incident,” and we should focus on the meaning of this name. Marking this privacy event shows that a unique web event will require an outsider to gain access via the web. It may also indicate that this classification was made after the Department of Homeland Security waited until their forensic anaylsis proved not to have been subjected to malicious activity.

If malicious access is required, any reporting schedule the agency or company needs to follow needs to be significantly longer than previously thought. This extra time will allow forensic teams to do their job accurately and just without having to draw conclusions in order to complete the reporting schedule.

In addition, privacy incidents may have different reporting requirements than network incidents – gaps that may need to be addressed as user data is ultimately compromised in both cases. This differentiation becomes more difficult with the data provided on open Amazon S3 buckets without malicious accents. Should this be classified as a privacy or network event?

The boundaries between privacy incidents, security incidents, insider events and fraud are best blurred. We hope that the expectations of regulation, policy, and the most important stakeholders will be developed to ensure that any information received, lost, compromised or affected by all parties is notified, reported and remedied. Regardless of how the events are classified, these basic criteria should apply. It is not enough to look at technology, events or existing buckets, such as fraud, privacy or security practices. Instead, the emphasis should be on trust and security.

No matter how this and other events are classified, it does not matter – the organization has lost some of its trust from employees, customers and other stakeholders and future applicants. Second, the breach of data by an insider, handling of mislabeling the case, has damaged our trust in DHS as Safe Harbor in Cyber for the Federal government. In the case of the Department of Homeland Security, the reported incidents did not mention privacy in the title, but instead used the term “data breach.” In this case, the wording is appropriate because many people do not care what it refers to – the data is leaked by the same Agency that is charged with Homeland Cyber Security.

For the Department of Homeland Security and other federal agencies, these appointments – and the different requirements associated with them – can directly affect the behavior of those who respond to the incident. It is important to provide an atmosphere that encourages the CIO / CISO to view and report events as to whether the government should successfully respond to emergencies and whether the legislative and executive branches should respond to PII violations or acts of state actors.

Such a report should admit that it usually takes a long time to fully understand anything. If parliamentary and institutional leaders demand real-time updates, they need to understand that the information they receive first is not only incomplete but often inaccurate.

Much progress has been made in focusing on results and compliance, but much remains to be done. Organizations should pay less attention to violations (hacking, insider fraud, etc.) and focus more on building and maintaining customers’ trust in their products and services.

If you like to receive more of these curated safe harbor news alerts then subscribe to my mailing list. and come back soon at https://www.safeharboroncyber.com/Blog/ to read further CyberWisdom Commentaries.

I agreed with the following article from The Hill which forms the basis of my commentary.

This month, the Department of Homeland Security notified affected employees about a 2014 breach of 247,167 employee records. There are many interesting details in the department’s disclosure, including the fact that there was six-month privacy investigation between the discovery of the breach and the notification, and the fact that the records were uncovered during a criminal investigation. DHS even revealed that the records were found in the possession of a former DHS Office of Inspector General employee. But the part that jumped out the most was how explicit DHS was about characterizing this as a “privacy incident.” In its public statement, the department made no mention of the incident as an insider threat issue, despite the records being found in the possession of a former employee. Rather than question DHS’s designation of this as a “privacy incident,” we should focus on what that designation means. Labeling this a privacy incident suggests that a distinct cyber incident would require an outsider gaining access through the network. Engaging post, Read More…

thumbnail courtesy of thehill.com

If you like to receive more of these curated safe harbor news alerts then subscribe to my mailing list. and come back soon at https://www.safeharboroncyber.com/Blog/ to read further CyberWisdom Commentaries.
Home » Curated SafeHarboronCyber’s CyberWisdom Post » Commentary: DHS breach of 247,167 employee records illustrates mislabeling and handling of today’s cyber security practices