Incident Types: The types of cybersecurity incidents that have occurred include Cyber Attack, Vulnerability, Ransomware, Data Leak and Breach.

Detection and Response: The company detects and responds to cybersecurity incidents through an remediation measures with notification letters sent to affected individuals, remediation measures with additional security measures implemented to restrict access to information, and containment measures with improved detection and response capabilities, containment measures with local law enforcement training, containment measures with technology deployment, and law enforcement notified with yes, and containment measures with repositioning cctv, containment measures with training police to handle hazardous drones, and and communication strategy with foia disclosure (dhs memo), communication strategy with media reports (wired), and network segmentation with recommended as corrective action, and enhanced monitoring with recommended as corrective action, and and and containment measures with public service announcement (psa), containment measures with awareness campaign, containment measures with reporting via ic3 (internet crime complaint center), and remediation measures with password changes, remediation measures with multi-factor authentication (mfa) enforcement, remediation measures with account monitoring, and communication strategy with fbi psa, communication strategy with media outreach, communication strategy with direct warnings to potential targets, and enhanced monitoring with recommendation for individuals to monitor accounts..

Common Attack Types: The most common types of attacks the company has faced is Breach.

Identification of Attack Vectors: The company identifies the attack vectors used in incidents through Email Account, Misconfigured HSIN-Intel Platform (DHS)Unsecured Database (2025 Breach) and SMS/MMS messagesvoice calls/voicemailsfake messaging platforms.

Commonly Compromised Data Types: The types of data most commonly compromised in incidents are Personally Identifiable Information (Pii), Job Titles, Phone Numbers, Email Addresses, , Personally Identifiable Information, , Sensitive But Unclassified Intelligence, Investigative Leads, Law Enforcement Tips, Foreign Hacking/Disinformation Reports, Domestic Protest Analyses, Cybersecurity Threat Intelligence, , Intelligence Reports (Dhs), User Credentials (Plain Text), Bank Account Details, Health Data, Government Portal Access, , Personal Identifiable Information (Pii), Credentials, Contact Lists, Potentially Sensitive Communications and .

Prevention of Data Exfiltration: The company takes the following measures to prevent data exfiltration: Notification letters sent to affected individuals, Additional security measures implemented to restrict access to information, , password changes, multi-factor authentication (MFA) enforcement, account monitoring, .

Handling of PII Incidents: The company handles incidents involving personally identifiable information (PII) through by improved detection and response capabilities, local law enforcement training, technology deployment, , repositioning cctv, training police to handle hazardous drones, , public service announcement (psa), awareness campaign, reporting via ic3 (internet crime complaint center) and .

Ensuring Regulatory Compliance: The company ensures compliance with regulatory requirements through Pending Extradition to the US.

Key Lessons Learned: The key lessons learned from past incidents are Improved countermeasures and preparedness against unmanned aircraft systems are necessary.Urgent action and cooperation between federal and local agencies are necessary to ensure public safety and preserve critical infrastructure.Misconfigurations are systemic failures tied to people, process, and policy—not just technical oversights.,Overly permissive IAM policies and lack of segmentation enable broad unauthorized access.,Publicly exposed storage buckets/databases with sensitive data create high-risk vectors.,Plain-text credential storage exacerbates identity theft and fraud risks.,Cloud drift and lack of context in security tools lead to alert fatigue and missed critical issues.,Developer workflows (e.g., CI/CD pipelines) can propagate misconfigurations at scale.AI-powered scams are increasingly sophisticated and can bypass traditional skepticism.,Trust-based attacks exploit human psychology, requiring behavioral defenses (e.g., verification habits).,Publicly available data (e.g., LinkedIn, social media) fuels convincing impersonations.,Multi-factor authentication (MFA) is critical but must be paired with user education to prevent code-sharing.,Proactive communication from authorities can mitigate large-scale campaigns.

Additional Resources: Stakeholders can find additional resources on cybersecurity best practices at and Source: Motherboard, and Source: DHS Memo, and Source: AFP, and Source: WIRED, and Source: Freedom of Information Act (FOIA) request (Brennan Center for Justice), and Source: DHS internal memo (obtained via FOIA), and Source: WIREDUrl: https://www.wired.com/story/dhs-data-hub-exposed-sensitive-intel-unauthorized-users/Date Accessed: 2023-06-01, and Source: Jeremiah Fowler (Cybersecurity Researcher)Date Accessed: 2025-06-01, and Source: Wiz Academy - Top 11 Cloud Security VulnerabilitiesUrl: https://www.wiz.io/academy/top-cloud-vulnerabilities, and Source: CrowdStrike - Common Cloud MisconfigurationsUrl: https://www.crowdstrike.com/blog/common-cloud-misconfigurations/Date Accessed: 2023-01-01, and Source: SentinelOne - Cloud Misconfiguration PreventionUrl: https://www.sentinelone.com/blog/cloud-misconfigurations/, and Source: SecPod - Top 10 Cloud MisconfigurationsUrl: https://www.secpod.com/blog/top-cloud-misconfigurations/, and Source: FBI Public Service Announcement (PSA)Url: https://www.ic3.gov.

Communication of Investigation Status: The company communicates the status of incident investigations to stakeholders through Foia Disclosure (Dhs Memo), Media Reports (Wired), Fbi Psa, Media Outreach and Direct Warnings To Potential Targets.

Advisories Provided: The company provides the following advisories to stakeholders and customers following an incident: were Foia Memo (Dhs), Media Statements, None (Dhs), Recommended Password Resets For 184M Affected Users (2025 Breach), , Fbi Psa Warning Senior Officials And Their Contacts, Recommendations For Public Vigilance, General Public Alert Via Media, Direct Outreach To Potential High-Value Targets and .

Post-Incident Analysis Process: The company's process for conducting post-incident analysis is described as Recommended As Corrective Action, , Recommendation For Individuals To Monitor Accounts, .

Corrective Actions Taken: The company has taken the following corrective actions based on post-incident analysis: Improve Detection And Response Capabilities, Enhance Local Law Enforcement Training, Deploy Advanced Technologies To Mitigate Drone Threats, , Revised Iam Policies With Least-Privilege Principles., Implemented Network Segmentation For Hsin Platforms., Enabled Centralized Logging And Monitoring (Dhs)., Mandated Encryption For Sensitive Data (Post-2025 Breach)., Conducted Staff Training On Secure Cloud Configurations., Deployed Automated Misconfiguration Detection Tools., Established Regular Audits For Public-Facing Resources., , Fbi-Led Awareness Campaigns Targeting High-Risk Groups, Encouragement Of Mfa Adoption And Password Hygiene, Development Of Ai-Detection Tools For Voice/Video Calls, Policy Changes To Limit Public Exposure Of Official Contact Details, Enhanced Collaboration Between Government Agencies And Tech Platforms To Disrupt Scam Infrastructure, .

Last Attacking Group: The attacking group in the last incident were an Hacker, Extremists, Violent Extremists and Unnamed Ransomware Gang.

Most Recent Incident Detected: The most recent incident detected was on 2023-06-21.

Most Recent Incident Publicly Disclosed: The most recent incident publicly disclosed was on 2023-06-01.

Most Significant Data Compromised: The most significant data compromised in an incident were 200GB of data, including records of 20,000 FBI workers and 9,000 DHS employees, Information about DHS security experts, programme analysts, IT, infosec, and security, as well as 100 individuals who hold the title of intelligence, , Employee names, Social Security numbers, Dates of birth, Positions, Grades, Duty locations, , law enforcement leads and tips, reports on foreign hacking and disinformation campaigns, analysis of domestic protest movements (e.g., Stop Cop City protests in Atlanta), cybersecurity intelligence (39% of exposed products), media reports praising violent actions against police, , Sensitive Intelligence (DHS), 184M User Records (2025 Breach), Plain-Text Credentials (Apple, Google, Meta, etc.), Bank Accounts, Health Platforms, Government Portals, , personal information, login credentials, contact lists, potentially sensitive government communications and .

Most Significant System Affected: The most significant system affected in an incident was DHS OIG Case Management System and Homeland Security Information Network-Intelligence (HSIN-Intel) platform and HSIN-Intel Platform (DHS)Unsecured Database (2025 Breach).

Containment Measures in Most Recent Incident: The containment measures taken in the most recent incident were Improved detection and response capabilitiesLocal law enforcement trainingTechnology deployment, Repositioning CCTVTraining police to handle hazardous drones and public service announcement (PSA)awareness campaignreporting via IC3 (Internet Crime Complaint Center).

Most Sensitive Data Compromised: The most sensitive data compromised in a breach were 184M User Records (2025 Breach), Information about DHS security experts, programme analysts, IT, infosec, and security, as well as 100 individuals who hold the title of intelligence, Bank Accounts, contact lists, Grades, Social Security numbers, personal information, Sensitive Intelligence (DHS), Duty locations, law enforcement leads and tips, Plain-Text Credentials (Apple, Google, Meta, etc.), cybersecurity intelligence (39% of exposed products), reports on foreign hacking and disinformation campaigns, Positions, Dates of birth, potentially sensitive government communications, analysis of domestic protest movements (e.g., Stop Cop City protests in Atlanta), login credentials, 200GB of data, including records of 20,000 FBI workers and 9,000 DHS employees, Government Portals, Employee names, media reports praising violent actions against police and Health Platforms.

Number of Records Exposed in Most Significant Breach: The number of records exposed in the most significant breach was 184.0M.

Most Significant Legal Action: The most significant legal action taken for a regulatory violation was Pending Extradition to the US.

Most Significant Lesson Learned: The most significant lesson learned from past incidents was Proactive communication from authorities can mitigate large-scale campaigns.

Most Significant Recommendation Implemented: The most significant recommendation implemented to improve cybersecurity was Encrypt **data at rest and in transit** (avoid plain-text storage)., Train staff on **secure cloud deployment practices** (e.g., Infrastructure as Code templates)., Training police on handling hazardous drones, Enable **centralized logging and monitoring** with context-aware alerts., Improve detection and response capabilities, Repositioning CCTV cameras, Conduct **regular audits** of public-facing storage (buckets, databases, APIs)., Prioritize **human-centric security** (training, process improvements) alongside technical controls., Implement **least-privilege access** and **just-in-time permissions** for IAM roles., Use **automated policy-as-code tools** (e.g., Terraform, Open Policy Agent) to prevent drift., Segment networks to **limit lateral movement** in case of breaches., Address **shadow IT** with discovery tools and governance policies., Deploying sensors for drone detection, Enhance local law enforcement training, Deploy advanced technologies to mitigate drone threats and Enforce **multi-factor authentication (MFA)** on all admin accounts..

Most Recent Source: The most recent source of information about an incident are WIRED, Jeremiah Fowler (Cybersecurity Researcher), Motherboard, DHS Memo, Wiz Academy - Top 11 Cloud Security Vulnerabilities, SecPod - Top 10 Cloud Misconfigurations, SentinelOne - Cloud Misconfiguration Prevention, CrowdStrike - Common Cloud Misconfigurations, FBI Public Service Announcement (PSA), Freedom of Information Act (FOIA) request (Brennan Center for Justice), AFP and DHS internal memo (obtained via FOIA).

Most Recent URL for Additional Resources: The most recent URL for additional resources on cybersecurity best practices is https://www.wired.com/story/dhs-data-hub-exposed-sensitive-intel-unauthorized-users/, https://www.wiz.io/academy/top-cloud-vulnerabilities, https://www.crowdstrike.com/blog/common-cloud-misconfigurations/, https://www.sentinelone.com/blog/cloud-misconfigurations/, https://www.secpod.com/blog/top-cloud-misconfigurations/, https://www.ic3.gov .

Current Status of Most Recent Investigation: The current status of the most recent investigation is Ongoing.

Most Recent Stakeholder Advisory: The most recent stakeholder advisory issued was FOIA Memo (DHS), Media Statements, FBI PSA warning senior officials and their contacts, recommendations for public vigilance, .

Most Recent Customer Advisory: The most recent customer advisory issued were an None (DHS)Recommended Password Resets for 184M Affected Users (2025 Breach) and General public alert via mediadirect outreach to potential high-value targets.

Most Recent Entry Point: The most recent entry point used by an initial access broker was an Email Account.

Most Significant Root Cause: The most significant root cause identified in post-incident analysis was Lack of adequate detection and response capabilities for drone threats, misconfiguration of HSIN-Intel access controls (set to 'everyone')inadequate access review processes, Overly permissive IAM policies ('everyone' access).Lack of network segmentation (DHS).Disabled logging/missing alerts (no detection of unauthorized access).Human error in access configuration (HSIN-Intel).Plain-text storage of credentials (2025 Breach).Complex cloud architectures without adequate governance.Shadow IT/unmonitored accounts (potential factor).Inadequate policy-as-code enforcement., Over-reliance on trust in digital communicationsLack of widespread MFA adoptionPublic exposure of personal/professional details (e.g., LinkedIn, government directories)Limited public awareness of AI-generated scam tacticsDelayed reporting of suspicious activity.

Most Significant Corrective Action: The most significant corrective action taken based on post-incident analysis was Improve detection and response capabilitiesEnhance local law enforcement trainingDeploy advanced technologies to mitigate drone threats, Revised IAM policies with least-privilege principles.Implemented network segmentation for HSIN platforms.Enabled centralized logging and monitoring (DHS).Mandated encryption for sensitive data (post-2025 Breach).Conducted staff training on secure cloud configurations.Deployed automated misconfiguration detection tools.Established regular audits for public-facing resources., FBI-led awareness campaigns targeting high-risk groupsEncouragement of MFA adoption and password hygieneDevelopment of AI-detection tools for voice/video callsPolicy changes to limit public exposure of official contact detailsEnhanced collaboration between government agencies and tech platforms to disrupt scam infrastructure.