Employees at the Department of Homeland Security have been put on alert that a software error might have leaked their personal information–including their name, date of birth, address, Social Security number, and everything else a hungry identity thief could use to secure a delicious new credit card. The leak was due to a vulnerability in the unnamed software, which was sold by an outside vendor to Homeland Security and improperly reviewed before being deployed agency-wide. The vulnerability has been in place since 2009 but DHS was only recently informed of the security risk.
According to Nextgov’s Aliya Sternstein, the vulnerability was discovered by outside law enforcement who then contacted Homeland Security.
It is important to note that no evidence of illegal exploitation of the vulnerability has been found. Homeland Security said in a statement that it has “issued a stop work and cure notice to the vendor based on its contract. DHS is evaluating all legal options and is engaged with the vendor’s leadership to pursue all costs incurred mitigating the damages.” Hackers from foreign IP addresses (and domestic ones) have routinely tried to harvest information through large-scale attacks.