In March–May 2023, a misconfigured **DHS Homeland Security Information Network (HSIN-Intel)** platform exposed **sensitive but unclassified intelligence data**—including investigative leads shared with the FBI, National Counterterrorism Center, and local law enforcement—to **tens of thousands of unauthorized users**. The access controls were incorrectly set to 'everyone,' granting visibility to **non-intelligence government workers (e.g., disaster response teams), private contractors, and foreign government personnel**. The breach stemmed from **poor access management and lack of segmentation**, highlighting systemic failures in cloud security governance. While no classified data was compromised, the exposure risked operational security, counterterrorism efforts, and trust in interagency intelligence-sharing. The incident underscored how **human error and process gaps**—rather than sophisticated cyberattacks—remain a dominant cause of high-impact breaches in critical infrastructure.
TPRM report: https://www.rankiteo.com/company/us-department-of-homeland-security
"id": "us-4641646100525",
"linkid": "us-department-of-homeland-security",
"type": "Breach",
"date": "5/2023",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'customers_affected': 'Tens of thousands (HSIN users)',
'industry': 'National Security',
'location': 'United States',
'name': 'U.S. Department of Homeland Security (DHS)',
'size': 'Large',
'type': 'Government Agency'},
{'customers_affected': '184 million users (2025 Breach)',
'industry': 'Technology',
'location': 'Global',
'name': 'Multiple Global Platforms (Apple, Google, '
'Meta, Microsoft, etc.)',
'size': 'Fortune 2000',
'type': ['Tech Companies',
'Social Media',
'Cloud Providers']},
{'industry': 'National Security',
'location': 'United States',
'name': 'FBI',
'size': 'Large',
'type': 'Law Enforcement'},
{'industry': 'National Security',
'location': 'United States',
'name': 'National Counterterrorism Center (NCTC)',
'size': 'Large',
'type': 'Intelligence Agency'},
{'industry': 'Public Safety',
'location': 'United States',
'name': 'Local Law Enforcement & Intelligence Fusion '
'Centers',
'size': 'Varies',
'type': 'Government'}],
'attack_vector': ['Misconfigured Access Controls',
'Overly Permissive IAM Policies',
'Publicly Exposed Storage'],
'customer_advisories': ['None (DHS)',
'Recommended Password Resets for 184M Affected Users '
'(2025 Breach)'],
'data_breach': {'data_encryption': ['None (Plain-Text Records in 2025 '
'Breach)'],
'data_exfiltration': ['Likely (2025 Breach)',
'Unconfirmed (DHS)'],
'file_types_exposed': ['Database Records',
'Authorization URLs',
'Credentials'],
'number_of_records_exposed': ['Undisclosed (DHS)',
'184 million (2025 Breach)'],
'personally_identifiable_information': ['Usernames',
'Passwords',
'Bank Account Details',
'Health Records'],
'sensitivity_of_data': ['High (Intelligence/National '
'Security)',
'Critical (Financial/Health Data)'],
'type_of_data_compromised': ['Intelligence Reports (DHS)',
'User Credentials (Plain Text)',
'Bank Account Details',
'Health Data',
'Government Portal Access']},
'date_detected': '2023-05-01',
'date_publicly_disclosed': '2023-06-01',
'description': 'An internal DHS memo obtained via FOIA revealed that from '
'March to May 2023, a DHS online platform (HSIN-Intel) used to '
'share sensitive but unclassified intelligence was '
"misconfigured, granting access to 'everyone' instead of only "
'authorized users. This exposed restricted intelligence to '
'tens of thousands of unauthorized users, including '
'non-intelligence government workers, private contractors, and '
'foreign government staff. The incident highlights systemic '
'failures in cloud security, including misconfigurations tied '
'to overly permissive IAM policies, lack of segmentation, and '
'poor access management. Additionally, a separate 2025 breach '
'exposed 184 million plain-text user records (including '
'credentials for Apple, Google, Meta, etc.), emphasizing the '
'broader crisis of cloud misconfigurations driven by human '
'error, lack of expertise, and poor governance.',
'impact': {'brand_reputation_impact': ['Erosion of Trust in DHS/Federal '
'Agencies',
'Reputation Damage for Affected '
'Platforms (Apple, Google, etc.)'],
'data_compromised': ['Sensitive Intelligence (DHS)',
'184M User Records (2025 Breach)',
'Plain-Text Credentials (Apple, Google, Meta, '
'etc.)',
'Bank Accounts',
'Health Platforms',
'Government Portals'],
'identity_theft_risk': ['High (184M Records Exposed in Plain '
'Text)'],
'operational_impact': ['Unauthorized Access to Restricted '
'Intelligence',
'Increased Risk of Identity Theft/Phishing '
'(2025 Breach)',
'Credential Stuffing Attacks'],
'payment_information_risk': ['High (Bank Account Details Exposed '
'in 2025 Breach)'],
'systems_affected': ['HSIN-Intel Platform (DHS)',
'Unsecured Database (2025 Breach)']},
'initial_access_broker': {'data_sold_on_dark_web': ['Likely (2025 Breach)'],
'entry_point': ['Misconfigured HSIN-Intel Platform '
'(DHS)',
'Unsecured Database (2025 Breach)'],
'high_value_targets': ['Intelligence Data (DHS)',
'User Credentials (2025 '
'Breach)']},
'investigation_status': ['DHS Internal Inquiry Completed (2023)',
'2025 Breach Under Investigation'],
'lessons_learned': ['Misconfigurations are systemic failures tied to people, '
'process, and policy—not just technical oversights.',
'Overly permissive IAM policies and lack of segmentation '
'enable broad unauthorized access.',
'Publicly exposed storage buckets/databases with '
'sensitive data create high-risk vectors.',
'Plain-text credential storage exacerbates identity theft '
'and fraud risks.',
'Cloud drift and lack of context in security tools lead '
'to alert fatigue and missed critical issues.',
'Developer workflows (e.g., CI/CD pipelines) can '
'propagate misconfigurations at scale.'],
'post_incident_analysis': {'corrective_actions': ['Revised IAM policies with '
'least-privilege '
'principles.',
'Implemented network '
'segmentation for HSIN '
'platforms.',
'Enabled centralized '
'logging and monitoring '
'(DHS).',
'Mandated encryption for '
'sensitive data (post-2025 '
'Breach).',
'Conducted staff training '
'on secure cloud '
'configurations.',
'Deployed automated '
'misconfiguration detection '
'tools.',
'Established regular audits '
'for public-facing '
'resources.'],
'root_causes': ['Overly permissive IAM policies '
"('everyone' access).",
'Lack of network segmentation '
'(DHS).',
'Disabled logging/missing alerts '
'(no detection of unauthorized '
'access).',
'Human error in access '
'configuration (HSIN-Intel).',
'Plain-text storage of credentials '
'(2025 Breach).',
'Complex cloud architectures '
'without adequate governance.',
'Shadow IT/unmonitored accounts '
'(potential factor).',
'Inadequate policy-as-code '
'enforcement.']},
'recommendations': ['Implement **least-privilege access** and **just-in-time '
'permissions** for IAM roles.',
'Enforce **multi-factor authentication (MFA)** on all '
'admin accounts.',
'Use **automated policy-as-code tools** (e.g., Terraform, '
'Open Policy Agent) to prevent drift.',
'Enable **centralized logging and monitoring** with '
'context-aware alerts.',
'Conduct **regular audits** of public-facing storage '
'(buckets, databases, APIs).',
'Encrypt **data at rest and in transit** (avoid '
'plain-text storage).',
'Segment networks to **limit lateral movement** in case '
'of breaches.',
'Train staff on **secure cloud deployment practices** '
'(e.g., Infrastructure as Code templates).',
'Address **shadow IT** with discovery tools and '
'governance policies.',
'Prioritize **human-centric security** (training, process '
'improvements) alongside technical controls.'],
'references': [{'date_accessed': '2023-06-01',
'source': 'WIRED',
'url': 'https://www.wired.com/story/dhs-data-hub-exposed-sensitive-intel-unauthorized-users/'},
{'date_accessed': '2025-06-01',
'source': 'Jeremiah Fowler (Cybersecurity Researcher)'},
{'source': 'Wiz Academy - Top 11 Cloud Security '
'Vulnerabilities',
'url': 'https://www.wiz.io/academy/top-cloud-vulnerabilities'},
{'date_accessed': '2023-01-01',
'source': 'CrowdStrike - Common Cloud Misconfigurations',
'url': 'https://www.crowdstrike.com/blog/common-cloud-misconfigurations/'},
{'source': 'SentinelOne - Cloud Misconfiguration Prevention',
'url': 'https://www.sentinelone.com/blog/cloud-misconfigurations/'},
{'source': 'SecPod - Top 10 Cloud Misconfigurations',
'url': 'https://www.secpod.com/blog/top-cloud-misconfigurations/'}],
'regulatory_compliance': {'regulations_violated': ['Potential FISMA (DHS)',
'GDPR (if EU citizens '
'affected in 2025 Breach)',
'State Data Breach Laws'],
'regulatory_notifications': ['FOIA Disclosure '
'(DHS)']},
'response': {'communication_strategy': ['FOIA Disclosure (DHS Memo)',
'Media Reports (WIRED)'],
'enhanced_monitoring': ['Recommended as Corrective Action'],
'network_segmentation': ['Recommended as Corrective Action']},
'stakeholder_advisories': ['FOIA Memo (DHS)', 'Media Statements'],
'title': 'DHS Data Hub Misconfiguration Exposes Sensitive Intelligence to '
'Unauthorized Users',
'type': ['Data Exposure', 'Unauthorized Access', 'Misconfiguration'],
'vulnerability_exploited': ['Improper Public Access Configuration',
'Lack of Segmentation',
'Disabled Logging',
'Missing Alerts']}