Full Report
Today’s entry in our “No Need to Hack When It’s Leaking” files is courtesy of the Brennan Center, which obtained an internal oversight report detailing the two-months-long exposure of federal, state, and local intelligence about Americans. A 2024 internal oversight report from the Office of Intelligence and Analysis of the U.S. Department of Homeland Security... Source
Analysis Summary
# Incident Report: DHS Intelligence Sharing Portal Data Exposure (2023)
## Executive Summary
A significant data exposure incident occurred within the Department of Homeland Security (DHS) Intelligence and Analysis office's intelligence sharing hub, the Homeland Security Information Network (HSIN). The breach, which lasted two months (March to May 2023), was caused by a programming error that improperly granted access to tens of thousands of users lacking proper clearance, including accounts potentially belonging to foreign governments. Sensitive intelligence documents from FBI, NCTC, and state/local agencies were accessed.
## Incident Details
- **Discovery Date:** Implied to be shortly after May 2023, based on the reporting date of the internal oversight report obtained in 2024 and publicized in September 2025. The actual discovery date of the error is not explicitly stated, only that an internal report was generated in 2024 detailing the March-May 2023 breach.
- **Incident Period:** March 2023 to May 2023 (Two months long).
- **Affected Organization:** U.S. Department of Homeland Security (DHS) Office of Intelligence and Analysis.
- **Sector:** Government, Intelligence Sharing.
- **Geography:** United States (Federal, State, and Local intelligence shared within the portal).
## Timeline of Events
### Initial Access
- **Date/Time:** March 2023 (Start date).
- **Vector:** Configuration/Programming Error, leading to Unauthorized Access Configuration.
- **Details:** A programming error in the intelligence portal's access controls resulted in the system being made open or accessible to tens of thousands of users who lacked the required clearance.
### Lateral Movement
- Not applicable. This appears to be an exposure/unauthorized access event rather than a traditional network intrusion/lateral movement scenario facilitated by malware or active exploitation. Access was granted via system configuration.
### Data Exfiltration/Impact
- **Data Accessed:** Hundreds of DHS intelligence documents, some related to sensitive U.S. activities.
- **Scope:** Information from the FBI, the National Counterterrorism Center (NCTC), state and local intelligence agencies, and other law enforcement entities was compromised. Accounts belonging to foreign governments reportedly gained access during the breach period.
### Detection & Response
- **Detection:** The issue was uncovered via an internal oversight inquiry conducted by the DHS Office of Intelligence and Analysis (the findings of which were detailed in an internal report obtained via FOIA in 2024).
- **Response Actions:** Mitigation steps were taken following the discovery, as referenced by the internal report mentioning a "mitigation" document linked by the Brennan Center. Specific containment details are not provided beyond fixing the error.
## Attack Methodology
This incident was not a traditional threat actor attack but rather an **Insider Risk/Misconfiguration Event**. The methodology focuses on failure in controls:
- **Initial Access:** Unauthorized access granted via an **Insecure Configuration/Programming Error**.
- **Persistence:** Not applicable (Access was implicit through the erroneous configuration during the 2-month window).
- **Privilege Escalation:** Not applicable (Improperly elevated access rights were configured by default).
- **Defense Evasion:** Not explicitly applicable, as the exposure was a system flaw, not active evasion techniques against security tools.
- **Credential Access:** Not applicable (Access was likely granted via improperly provisioned user roles/groups).
- **Discovery:** Not applicable (The flaw exposed data broadly rather than requiring targeted reconnaissance).
- **Lateral Movement:** Not applicable.
- **Collection:** Passive review of accessible documents by unauthorized personnel.
- **Exfiltration:** Data was *accessed*, and hundreds of documents were viewed/downloaded. Exfiltration methodology (if data was copied) is unknown.
- **Impact:** Exposure of sensitive intelligence data to unauthorized domestic and foreign entities.
## Impact Assessment
- **Financial:** Not disclosed.
- **Data Breach:** Hundreds of DHS intelligence documents containing sensitive information about Americans and U.S. activities. Data originated from FBI, NCTC, and state/local partners.
- **Operational:** The integrity of the data sharing hub was compromised, potentially eroding trust among partner agencies contributing sensitive intelligence.
- **Reputational:** Significant reputational damage to DHS and participating agencies due to the exposure of sensitive intelligence via internal error.
## Indicators of Compromise
*Specific technical IOCs (IPs, hashes, domains) were not provided in the source material as this was a configuration error, not a TTP-driven attack.*
- **Network Indicators:** N/A (Access stemmed from improperly authenticated or provisioned user accounts).
- **File Indicators:** N/A
- **Behavioral Indicators:** Mass access to sensitive intelligence repositories by users lacking necessary authorization.
## Response Actions
- **Containment:** Implied resolution of the programming error granting broad access (stopped the continuous exposure).
- **Eradication:** Not explicitly detailed, but involved correcting the access control configuration.
- **Recovery:** Restoring proper authorization levels to the HSIN portal. The internal report referenced suggests a review of policies and procedures post-breach.
## Lessons Learned
- **Configuration Management:** A critical programming error led to the exposure of highly sensitive national security data for two months. Configuration reviews and access control testing must be rigorous, especially for portals handling tiered intelligence data.
- **Access Control:** The system provided access to tens of thousands of users who should not have had it, indicating a fundamental breakdown in the principle of least privilege.
- **Agency Trust:** The breach compromised the trust shared among federal, state, and local partners relying on the hub for sensitive intelligence exchange.
## Recommendations
- Immediately implement mandatory, high-frequency auditing of application code and configuration changes affecting external-facing or multi-agency data portals like HSIN.
- Establish stricter access control provisioning processes, requiring multi-layered approval for access to sensitive intelligence tiers, and verify that foreign entity accounts are appropriately siloed or restricted.
- Conduct mandatory re-training for developers and administrators on secure configuration baselines, emphasizing the principle of least privilege enforcement in all access matrices.