Sometimes hackers come and steal your data. Sometimes it just walks out the door.

The Department of Homeland Security found itself in that latter category this week. It confirmed on Wednesday that a 2014 data breach that affected 247,000 current and former employees was the result of an employee taking home a copy of a sensitive database used by the Department’s Office of the Inspector General (OIG).

The statement by DHS accompanied notices that were sent to current and former DHS employees on Wednesday informing them that their privacy may have been violated in the incident, which dates to 2014.

“You may have been impacted by this privacy incident if you were employed by DHS in 2014, or if you were associated with a DHS OIG investigation from 2002 through 2014,” the notice reads, in part.

The incident came as the result of what DHS described as “an ongoing criminal investigation” by DHS OIG and the U.S. Attorney’s Office. As part of that investigation, DHS OIG discovered what it described as “an unauthorized copy of its investigative case management system in the possession of a former DHS OIG employee.” 

In addition to information on 247,167 current and former employees, information on subjects, witnesses, and complainants involved in OIG investigations was in the database, also.

DHS, however, says it has no evidence that the information was leaked or stolen from the OIG employees computer after it walked out the door. The “individual’s personal information” was “not the primary target of the unauthorized exfiltration,” DHS said - a statement that is more troubling than reassuring.

The incident is eerily reminiscent of the 2006 theft of information on 26.5 million veterans from the Office of Veterans Affairs (the VA).  In that case, the unencrypted data was stored on a laptop and external hard drive that were taken home by a VA employee and then stolen from the employee’s home.

The DHS incident, like the VA incident 11 years ago or the more recent leaks by Edward Snowden or the leak of the Vault 7 hacking tools from the NSA suggest that Uncle Sam is still struggling to address the myriad risks that massive and complex government organizations like DHS face as they look to secure sprawling IT environments. Investments in attack detection and prevention, while necessary, often overlook the threat posed by malicious and even well meaning insiders, who can easily copy reams of data onto portable devices like laptops, smartphones and USB drives and walk out the front door with it. Once outside the safety of the organization’s network, that data can easily fall prey to cyber criminal or nation-state hackers not to mention run-of-the-mill ‘smash and grab’ burglars.

These aren’t unsolvable problems of course. Data leak detection tools can spot suspicious data movements on or off a network or to portable devices. The lesson of the VA breach was the need for strong encryption to protect sensitive government data - though it's not clear that the lesson has hit home.

Nothing here should be a surprise. The Government Accountability Office (GAO) warned as recently as February, 2017 about the shortcomings of federal government’s cyber security capabilities. GAO noted that the federal government needs to do a far better job protecting the security of personally identifiable information. In fact, GAO called out DHS in particular, saying the agency needed to “improve its cyber incident detection, response, and mitigation capabilities.”

Above all this is the need - as yet unmet - for comprehensive data security laws in the U.S. that govern both private and public systems. The years - decades - of legislative inattention to issues of data security and data privacy have brought us to where we are now: a present where stories about massive data breaches and hacks of both commercial and public data stores are an almost weekly occurrence, where identity theft and fraud are a national scourge and where consumers have little recourse other than to accept the tepid offers of “free credit monitoring” as an apology for the wanton disregard of their privacy and rights as citizens and consumers.

Something has to change. Let’s hope 2018 is the year that it does.

Paul Roberts is the Editor in Chief and Publisher of The Security Ledger and the founder of The Security of Things Forum. He is on Twitter at @paulfroberts