
Privacy Incident Involving DHS OIG Case Management System - el_duderino
https://www.dhs.gov/news/2018/01/03/privacy-incident-involving-dhs-oig-case-management-system
======
ntonozzi
Not just employees, but also "subjects, witnesses, and complainants". Yikes.
This is way worse than the last one.

~~~
caseysoftware
> _the last one_

I've lost track now.. which one do you mean?

The OPM breach of the SF-86 database is still the worst and most catastrophic
that I'm aware of. That was larger (millions), was the result of background
checks (aka blackmail fodder), included full read/write access (tainted?), and
likely every position that required a clearance outside the CIA.

~~~
ntonozzi
That's the one I meant. You're right, that one does seem worse. I didn't
realize that the previous one had information on so many people.

This one seems especially terrible because it had information on people
unrelated to the US government.

~~~
caseysoftware
During a background check, they start by investigating the subject and
interview friends, family, employers, colleagues, classmates, significant
others, roommates, etc.. and may investigate them to some degree. They only
have detailed info on the subject but would still have lots of info on the
others.

*I had a Secret 10+ years ago.

------
mattnewton
Does anyone have experience with the credit protection firms always hired to
attempt to make right in these cases? It seems like the onus is still on the
individual to fix their credit if something bad does happen, so they could
conceivably effectively be doing nothing.

> “...unauthorized unauthorized transfer of data.”

Am I being dense or is this unintended?

~~~
fjsolwmv
Probably a typo, but in the CIA world, there is a lot of 'authorized
unauthorized' "off the books" activity.

~~~
dsfyu404ed
>Probably a typo, but in large and slow moving bureaucracies, there is a lot
of 'authorized unauthorized' "off the books" activity.

FTFY.

It's actually a pretty good way to explain speculative execution. You know you
might need to so something so you just do it using the slush fund and if it
isn't useful you toss the result and if it is useful you keep doing it while
papers are shuffled around and authorization happens. Certainly not ideal but
not unheard of either.

------
saulrh

      Investigative Data: Individuals associated with DHS OIG
      investigations from 2002 through 2014, which includes
      subjects, witnesses and complainants who were both DHS
      employees and non-DHS employees.  The PII contained in this
      database varies for each individual depending on the
      documentation and evidence collected for a given case.
      Information contained in this database could include names,
      Social Security numbers, alien registration numbers, dates
      of birth, email addresses, phone numbers, addresses, and
      personal information provided in interviews with DHS OIG
      investigative agents.
    

Most of that is business-as-usual for a DB leak, but there's something that
catches my eye:

    
    
      personal information provided in interviews with DHS OIG
      investigative agents.
    

Would this only be information provided by people about themselves, or does
the inclusion of "subjects of investigations" mean that this is a colossal
dump of life-ruining hearsay that could destroy anyone that DHS has ever
touched?

Speaking of which, this bit at the end disgusts me:

    
    
      What is DHS doing to better secure employees’ PII?
    

Why does this read as anything other than "What is DHS doing to better secure
_american citizens '_ PII"? DHS employees aren't the only people affected by
this. I'd expect "subjects, witnesses and complainants of DHS investigations"
to number in the millions.

~~~
fjsolwmv
Put away the pitchforks.

OIG is internal affairs. The people they investigate are employees, not the
public.

[https://www.oig.dhs.gov](https://www.oig.dhs.gov)

~~~
Sir_Substance
Employees /are/ the public.

You don't lose the right to protection from someones incompetence just because
you're employed by them.

------
dingdongding
And here we go again.

------
wyldfire
Does anyone know if this includes SF-86 and related investigation data?

~~~
caseysoftware
The OIG case data would have nothing to do with SF-86 data which is kept by
OPM.

The OIG investigates complaints against DHS (and child agencies) officials,
employees, and policies brought by Congress, the public, and other agencies.
It's similar to the stereotypical Internal Affairs department in every police
movie.

~~~
wyldfire
OPM keeps that data even for contractors?

------
toomuchtodo
Can someone from USDS chime in? I thought these occurrences were mitigated
against by having tech professionals providing guidance to internal
development teams.

~~~
tomschlick
AFAIK, each agency has to request USDS/18F assistance.

~~~
chatmasta
And it's unrealistic to expect that assistance to prevent breaches, especially
when there are hundreds of government agencies separately running insecure
legacy systems. The USDS/18F has on the order of < 100 employees AFAIK. That
is hardly enough manpower to secure the systems of every government agency.

------
coldcode
Homeland "Security"

~~~
dsfyu404ed
Sounds like a great name for a cinema in the DC area.

