[ISN] Possible breach of DHS employee data has an unusual twist

http://gcn.com/articles/2013/06/03/dhs-data-breach-employee-info.aspx By William Jackson GCN.com Jun 03, 2013 The Homeland Security Department has notified some employees that personally identifiable information used for security clearances and stored in a third-party database could have been exposed to unauthorized users. The notifications came after DHS was alerted to a vulnerability in the vendor software by a “law enforcement partner.” According to a public notice the vulnerability could have been in place for as long as four years but has been addressed after being identified. The department said there is no evidence that the information, which included Social Security numbers and dates of birth, had been improperly accessed, although it is investigating what, if any, personally identifiable data might have been accessed since 2009. The fact that law enforcement was involved raises the possibility that a breach occurred. DHS officials have declined to comment on the incident beyond the public notice. It is not surprising that DHS was notified by a third party of the vulnerability. Most vulnerabilities are discovered by legitimate “white hat” researchers, who usually report them to the software vendor before they are publicly disclosed. In this case, it was law enforcement rather than researchers that appear to have discovered the problem. Whether it was part of an active investigation into a security breach is not known. Many security breaches go unnoticed by victims. According to the Verizon 2013 Data Breach Investigation Report, 69 percent of breaches analyzed in the report were discovered by external parties, and 66 percent of breaches took months or longer to discover. […] ______________________________________________ Visit the InfoSec News Security Bookstore Best Selling Security Books and More! http://www.shopinfosecnews.org