A hacker has contacted Motherboard and claims to have hacked into a computer at DHS and downloaded 200 GB of data including employee contact information such as names, phone numbers, email addresses and such.
The hacker claimed in a conversation with Motherboard that they got a userid and password but could not get past the two factor authentication. The hacker contacted the DHS help desk and told them he was a new employee. The help desk, being helpful, gave the hacker their token to get into the portal. At that point the hacker was in and had access to a terabyte of data.
Information on about 9,000 DHS employee was posted this afternoon and the hacker says that he has information on 20,000 FBI employees as well.
DHS downplays the attack, but there are some issues –
- The DHS helpdesk was apparently socially engineered.
- What else was in the 200 GB of data that the hacker claims to have taken?
- DHS is the repository for all of the data that private businesses share under the CISA law passed last year. And, under the law, you can’t sue businesses that share your private data with the gov, even if the gov gets hacked. Which, apparently, is not hard to do.
Stay tuned as this unfolds. It may be significant in terms of the data compromised, it may not be, but in turns of us trusting DHS to store our data securely – this is clearly a black eye.