Well that's embarrasing...
I wonder who they will find to extradite to the US for this one?
Some inward looking reflective thinking required all round at DHS then!
More than 240,000 current and former employees of the US Department of Homeland Security have had their personal details exposed in a data breach. In what it describes somewhat euphemistically as a “privacy incident”, the DHS said the breach could also affect anyone who was part of an investigation by the DHS Office of …
https://en.wikipedia.org/wiki/Office_of_Personnel_Management_data_breach
Themselves? Little stay in Gitmo anyone? But hey, no big deal, they probably already leaked everyone's details already here:
https://en.wikipedia.org/wiki/Office_of_Personnel_Management_data_breach
Plus, this fixes everything right?.. "performing a 360-degree review"... Sounds like they'll be chasing their own tails. Either way, "in a bid to reassure people" when it happens again, this must be a comfort to anyone not already leaked by Equifux:
"It added that anyone potentially affected was being offered 18 months of free credit monitoring and identity protection services."
"Plus, this fixes everything right?.. "performing a 360-degree review"... Sounds like they'll be chasing their own tails."
Nice, chasing their own tails doing a full circle. Whenever I see that 360 degree thing, I always wonder why they ignore the vertical axis. Looking around is ok, but you also need to look up and down. But I'll be snagging your chasing tails reference for later use :-)
The people who bear ultimate responsibility for most of these incidents tend to be several paygrades above the people who do the dirty deed - hence looking at the culprit and others at the same level but quietly ignoring the decisions that allowed the problem to occur in the first place...
Sounds like a former developer had made a home office copy (probably for overtime / out of hours support purposes) and forgot to delete it when they left. Seems to me to be more in the "oops, no foul intended" category than the "EVERYONE IS DOXXED AND THE SKY IS FALLING IN OMG!!1!" category.
True. Something can be criminal when done with the best of intentions. And something truly evil can be perfectly lawful, of course.
I was (somewhat ham-fistedly) trying to suggest that this looked, to my eyes, more like it might be someone trying to be helpful rather than someone trying to make a fast buck on the side.
No doubt we'll hear more when the unlucky dev/would-be darknet kingpin* gets 20 years.
* delete as applicable.
Which came first, the discovery or the investigation?
As I read it, the "criminal investigation" used as an excuse not to tell everyone they might be in trouble earlier was the desperate scrabbling to find out what he'd done with his copy of the database and how he'd got it rather than something else being investigated and someone noticing this person getting up to mischief.
it affects an undefined number of people that were under investigation by the office between 2002 and 2014 - this could be subjects, witnesses and complainants, and is not limited to DHS employees.
[..]
anyone potentially affected was being offered 18 months of free credit monitoring and identity protection services.
So free credit monitoring for everyone, right? If they can't tell who is affected, anyone is potentially affected.
I mean, it has Security right in the name, right ?
Seems like the Paranoid Department isn't paranoid enough. Of course, it's tiring to be paranoid all the time, especially when it's your 9 to 5 day job. Seems that some of these guys are just in it for the paycheck now.
Insecurity, more like.
Plenty paranoid, but just not paranoid enough when it comes to the dull day to day info-sec.
Just not exciting enough for the gizzards and danglies of the everyday employee of the institution to be safely kept out of the bite of sharks then?
In addition, it said it would be “performing a 360-degree review of DHS OIG’s development practices related to the case management system”.
What? you are going to run around in circles?
SOP: everyone stands in a circle, points to the left and says, "He did it!" when asked until the investigator gets back to the first one, stamps the case "Investigated" and everyone goes back to doing what they were doing, nothing changed.
240 000 names and all the details of their ongoing investigations.
What's that? GB? TB?
And Sys Admins did not notice someone copying "The-database-that's-not-meant-to-be-copied?"
F**kwits.
BTW this being HS will that include any foreign passenger data as well? Probably but this being the US they will follow the f**kem-they're-furriners rule.*
*As opposed to the f**kem-they're-not-furriners rule the NSA has been using for letting the FBI query it's massive data slurp.
This *sounds* like a "What the hell do you mean there were no backups run yet? -- This is a full rev level update to the MoFo DB software!!!!" moment. I've shot down weekend outage updates for this sort of crap *just* to make sure there were no DBA's wandering around with "Oh shit" copies.
But then again it could be a DBA having to fix some screwed up query taking a copy home so he "could play with it offline over the weekend". (Just what the #@$%@# do you think that dev and qa environment is for you #@$%????)
(Hmm I seem down a coffee or six. Back in a bit)
No one is safe anywhere from digital revenge, hacking or other digital crimes. Authorities don't have a snowball's chance in Hell of improving security and reducing digital crime because authorities are outnumbered 10,000 to 1 and the crim population is increasing exponentially by the week.