Coding Error Left DHS Data Exposed to Unauthorized Access

An internal memo revealed that the DHS uncovered a misconfiguration in one of its online platforms that left sensitive information exposed to “thousands” of unauthorized users. The platform operated by the DHS’s Office of Intelligence and Analysis (I&A) contained sensitive information shared among it and the FBI, National Counterterrorism Center, and other law enforcement and intelligence agencies.

WIRED issued a Freedom of Information Act (FOIA) request, which resulted in the memo coming to light. The information consists primarily of investigative leads, cybersecurity threats, domestic terrorism, protests, and election-related issues. Some of it also contained personally identifiable information (PII).

First, it was created in an effort to more effectively combat domestic terrorism in the wake of the 9/11 attacks. However, there have been many misgivings regarding its role to “spy” on the American public as part of its mandate. A recent example includes extending the DHS’s powers to screen potential immigrants for anti-US sentiment.

According to the memo, only authorized users of the Homeland Security Information Network’s intelligence crews, AKA HSIN-Intel, were supposed to have access to the data. However, the access rights were apparently set to “everyone” by mistake. Subsequently, investigators reviewed the logs and found the products were viewed 1,525 times in total during the exposure window (March 15–May 11).

The good news is that most of the users were federal employees (437) or state and local users (524). Only 518 users were from the private sector, and 46 were non-US citizens. Also, unauthorized users’ rights were limited to “visitor” only access, so they could not download or save the products.