Cyber Incident Victim: Department of Homeland Security
Date:
Feb 2016
Location:
United States of America
Summary
A hacker published personal information of over 9,000 Department of Homeland Security employees, including names, job titles, email addresses, and phone numbers, after compromising a Department of Justice email account through social engineering tactics. The attacker posed as a new employee to bypass security protocols, gaining access to an internal database and exfiltrating 200GB of government worker data, with threats to release details of 20,000 FBI officials next. The leaked data targeted personnel in intelligence, IT, and security roles, with verification confirming its authenticity through direct calls to listed numbers. The incident followed breaches targeting high-ranking U.S. intelligence officials, and the hacker's communications referenced geopolitical tensions between Israel and Palestine as potential motivation.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On February 7, 2016, a hacker publicly released the personal information of over 9,000 Department of Homeland Security (DHS) employees through a Twitter account. The leaked data included full names, job titles, email addresses, and phone numbers belonging to personnel across multiple roles, including program analysts, IT staff, information security professionals, directors, and approximately 100 individuals with intelligence-related positions. Verification efforts by media outlets confirmed the authenticity of the data, with calls to the published phone numbers reaching the legitimate voice mailboxes of affected employees. The breach first became known when the hacker contacted Motherboard using a compromised Department of Justice (DOJ) email account on February 6, revealing they had initially targeted a single DOJ email before pivoting to social engineering tactics. By posing as a new employee confused about accessing the DOJ web portal, the hacker convinced staff to provide temporary token access, enabling unauthorized entry into an internal DOJ system hosting a government worker database.
The attacker extracted approximately 200GB of data from the DOJ intranet, which contained records on 20,000 FBI officials slated for future release according to the hacker’s statements. The Twitter account used to disseminate the DHS data included references to geopolitical tensions between Israel and Palestine, suggesting a potential motivation for the intrusion. This incident followed closely after separate compromises of private email and phone accounts belonging to the CIA Director and the U.S. Director of National Intelligence, though no direct operational connection between those breaches and this attack was established in the available reporting. The publication of DHS employee details exposed operational personnel to potential phishing, harassment, or identity theft risks while demonstrating vulnerabilities in federal authentication protocols and social engineering defenses. The hacker’s claimed access to FBI personnel records indicated a broader potential compromise of sensitive law enforcement data beyond the initially confirmed DHS leak.