Most vulnerabilities are discovered by third parties, but the fact that the department was alerted by a “law enforcement partner” raises the question of whether a breach occurred.
The Homeland Security Department has notified some employees that personally identifiable information used for security clearances and stored in a third-party database could have been exposed to unauthorized users.
The notifications came after DHS was alerted to a vulnerability in the vendor software by a “law enforcement partner.” According to a public notice the vulnerability could have been in place for as long as four years but has been addressed after being identified.
The department said there is no evidence that the information, which included Social Security numbers and dates of birth, had been improperly accessed, although it is investigating what, if any, personally identifiable data might have been accessed since 2009. The fact that law enforcement was involved raises the possibility that a breach occurred. DHS officials have declined to comment on the incident beyond the public notice.
It is not surprising that DHS was notified by a third party of the vulnerability. Most vulnerabilities are discovered by legitimate “white hat” researchers, who usually report them to the software vendor before they are publicly disclosed. In this case, it was law enforcement rather than researchers that appear to have discovered the problem. Whether it was part of an active investigation into a security breach is not known.
Many security breaches go unnoticed by victims. According to the Verizon 2013 Data Breach Investigation Report, 69 percent of breaches analyzed in the report were discovered by external parties, and 66 percent of breaches took months or longer to discover.
This is down sharply from the 92 percent discovered by outsiders in the 2012 report, but a majority of reported breaches have been discovered by outsiders in every year of the report, dating back to 2008.
The DHS Customs and Border Patrol agency has issued a “stop work and cure” notice to the vendor. “DHS is evaluating all legal options and is engaged with the vendor’s leadership to pursue all costs incurred mitigating the damages,” it said in its notice.
The data was part of a database used for background investigations for CBP and Immigrations and Customs Enforcement security clearances. Employees and contractors who received clearance between July 2009 and May 2013 could be at risk. The department said that information included on the standard security questionnaire, beyond SSN and DOB, was not accessible.
NEXT STORY: The hack-back vs. the rule of law: Who wins?