Cybersecurity

The new DHS breach illustrates what's wrong with today's cybersecurity practices

This month, the Department of Homeland Security notified affected employees about a 2014 breach of 247,167 employee records. There are many interesting details in the department’s disclosure, including the fact that there was six-month privacy investigation between the discovery of the breach and the notification, and the fact that the records were uncovered during a criminal investigation. DHS even revealed that the records were found in the possession of a former DHS Office of Inspector General employee.

But the part that jumped out the most was how explicit DHS was about characterizing this as a “privacy incident.” In its public statement, the department made no mention of the incident as an insider threat issue, despite the records being found in the possession of a former employee.

Rather than question DHS’s designation of this as a “privacy incident,” we should focus on what that designation means. Labeling this a privacy incident suggests that a distinct cyber incident would require an outsider gaining access through the network. It could also indicate that the categorization was made after DHS waited until their forensics demonstrated it was not exposed to malicious activity.