The U.S. Department of Homeland Security has sent warning letters to roughly 114 organizations whose data was exposed when hundreds of documents were accessed without authorization.
The move came after the department's Science and Technology Directorate was notified of the breach by a company that manages its external Small Business Innovation Research (SBIR)/Long Range Broad Agency (LRBAA) Web portal. Some 520 documents -- including whitepapers, decision notification letters, and documents regarding contract awards -- were accessed in the incident.
Sixteen of the organizations had bank information in the documents. All of the affected organizations were notified by the Science and Technology Directorate (S&T). According to a copy of the letter posted by security blogger Brian Krebs, the breach is believed to have occurred in the past four months.
"Notably, the letter does not assert that any security protocols, such as password protection or encryption, were circumvented to access the information," says Aaron Titus, chief privacy officer and general counsel at Identity Finder. "It's not even clear that the access was malicious."
"In my experience, breaches like this are often the result of a failure of basic sensitive data management practices," he says. "It's entirely possible that this information was accidentally left on a public server for four months without password or encryption protection."
None of the documents were classified, according to DHS. The agency did not offer any information about how exactly the data was accessed, stating only that the documents were downloaded from the portal by people outside of DHS. The incident remains under investigation.
"Since discovery of this incident, Science and Technology Directorate (S&T) has worked with the operator of this external Web portal to identify and resolve the security vulnerability, and all appropriate measures have been taken," a DHS S&T spokesperson tells Dark Reading. "All of the affected documents have been thoroughly reviewed to determine if there was a loss of sensitive personally identifiable information, proprietary or business-sensitive information, security information, export control sensitive information, and all potentially affected parties were notified before any nefarious activity could take place.
"S&T takes its responsibility to safeguard personal information seriously and is working with appropriate law enforcement partners on the ongoing investigation to determine the cause of the incident and the identities of the perpetrators,. It is important to note that none of S&T's internal systems were accessed or compromised."
Last year, DHS warned employees and former employees that their data may have been compromised after a vulnerability was discovered in software used by a DHS vendor to process personnel security investigations. The software was used to gather and store sensitive personally identifiable information (PII) for background organizations.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Brian Prince is a freelance writer for a number of IT security-focused publications. Prior to becoming a freelance reporter, he worked at eWEEK for five years covering not only security, but also a variety of other subjects in the tech industry. Before that, he worked as a ... View Full Bio