In a rather embarrassing confession from a department tasked with keeping the country safe, the U.S. Department of Homeland Security has been forced to admit that an employee stole data covering approximately 250,000 confidential records.

The data included personally identifiable information pertaining to 247,167 employees along with data on subjects, witnesses and complaints associated with investigations undertaken by the department from 2002 through 2014.

The data breach itself occurred in 2014 but was not discovered until May 2017 when an investigation by the DHS Office of Inspector General and the U.S. Attorney’s Office discovered an unauthorized copy of its investigative case management system in the possession of a former DHS OIG employee.

Why the former employee took a copy of the database is not clear, nor does DHS say whether the employee used the data for nefarious purposes. But to be on the safe side, the department has informed all former and currently employees listed on the database of the breach and is offering them 18 months of free credit monitoring and identity protection services.

DHS said it takes security very seriously and is making every effort to ensure this does not happen again. “DHS is implementing additional security precautions to limit which individuals have access to this information and will better identify unusual access patterns,” the department said in a statement Wednesday. “We will continue to review our systems and practices in order to better secure data. DHS OIG has also implemented a number of security precautions to further secure the DHS OIG network.”

Daniel Conrad, identity and access management specialist at One Identity LLC told SiliconANGLE that “if this isn’t a case of poorly governed access to applications and data, I don’t know what is.”

“Governing access to data and applications is the process of ensuring only the right people have the right access to the right data and apps at the right time – and you can prove it,” Conrad explained. “It seems that DHS has failed on this account by allowing the wrong person to have access to inappropriate data…and their auditing infrastructure was unable to show it.”

Conrad said DHS would have been able to avert the calamity if it had deployed a robust identity and access management platform to ensure that only the right people have access to this type of sensitive data. Second, strong auditing and segregation of duties might have alerted the right people at DHS that this much sensitive data was “leaving the building.”

“It’s good that the DHS alerted the affected individuals of this breach,” Conrad concluded. “It would have been better had they been proactive in the first place.”

Photo of Secretary of Homeland Security John Kelly: dhsgov/Flickr