U.S. Department of Homeland Security network breach reveals false‑positive missteps
The Department of Homeland Security’s Homeland Security Information Network (HSIN) was breached in late May and early June, after analysts twice dismissed intrusion alerts as harmless activity. Between May 15‑24, FEMA analysts observed hackers altering files, using a legitimate web‑server program to run malicious code and deleting logs, but the activity was ruled a false positive. A second wave of alerts from May 25‑June 3 was also dismissed. On June 4 the intruders installed hidden backdoors and stole credential files, prompting DHS to declare an active breach.
The breach, reported publicly in late June, affected an unclassified but highly sensitive data‑sharing environment used by federal, state, local, industry and overseas partners. Investigators have not yet identified the hackers’ affiliation or determined what data, if any, was exfiltrated. DHS stated that classified networks remain unaffected and that the system continues to operate for partners. Officials may brief Congress on the incident in a classified setting in the coming weeks.