The Department of Homeland Security (DHS) put out a notice about a “potential PII incident” this week.  PII of course means Personal Identifiable Information.  The issue centers on a recently discovered vulnerability that put the personal information of thousands and thousands of employees exposed since it was first implemented in 2009.  The software was in use by a contracted vendor of the DHS in between July 2009 and May 2013 was used to clear candidates in background checks, a common process that is required to get a security clearance.  Government jobs, law enforcement, and jobs on that level of security use this process and the software that comes along with it to screen and review candidates for positions.  Now with the notion of having data that was exposed for close to 4 years based on a software flaw, well let’s just say that’s a bad thing.  Social Security numbers, dates of birth, full names, – all things within that data that was exposed.

During the week of May 20, 2013, DHS is alerting employees of the potential vulnerability and outlining ways that they can protect themselves, including requesting fraud alerts and credit reports.  The Department is also working with the vendor on notification requirements for current contractors, inactive applicants, and former employees and contractors.  To ensure that affected individuals’ concerns are addressed, DHS has stood up a call center in conjunction with notifications.  To reach the call center, please contact 1-855-891-2739 between 8 am and 8 pm EST orprivacyhelp@dhs.gov.

The statement from the DHS also says that there was no evidence that the information was actually compromised, only that there was a vulnerability.  They also go so far to say that of all the information that is on the standard SF-86 form, only those limited examples were part of the exposure.  The DHS has acted by issuing a stop work (read: termination) to the vendor based on what are likely stipulations in the contract and they make note of the fact that the vulnerability was immediately addressed.

CBP (Customs and Border Protection) has issued a stop work and cure notice to the vendor based on its contract. DHS is evaluating all legal options and is engaged with the vendor’s leadership to pursue all costs incurred mitigating the damages.

Also announced was that “out of abundance of caution”, the DHS has alerted employees of the potential vulnerability and outlined ways that they can protect themselves, including requesting fraud alerts and credit reports.   They also shared the Equifax, Experian, and TransUnion contact numbers for those potentially affected to contact to get those alerts and reports.  The DHS has also launched a review in their commitment to protect PII seriously.  Under the scope of this review, all contracts with security vendors who are involved in the same type of services are being checked to verify that there are no similar issues there.  They indicate that compliance mechanisms, incident response, and requirements around protecting PII are going to fall into that review process.

It hasn’t been made clear how the issue came to light or who notified them of the issue, but it has clearly been tracked to the vendor’s database at this time.  The fact that it is being reviewed against other similar contractors indicates there is some commonality in that database and its implementation that they are worried about.  Flaw, design, implementation, or patch maintenance issues – the list of issues that could be a root cause could come from anywhere.  It’s particularly interesting that the DHS is the same agency that is identified in the various proposed cybersecurity legislations that is in charge of overseeing the sharing of information of software vulnerabilities with the private sector.  This could be a development from that system or it could just be the classic contractor/partner problem that exists in security where you really have to ensure what outside parties are doing with their systems and security.