
An unknown threat actor broke into one of the Department of Homeland Security’s most important information-sharing systems in recent weeks, potentially exposing sensitive data shared between federal agencies, state and local governments, and private sector partners. Two people familiar with the matter reported the breach to Nextgov/FCW, speaking anonymously because of the sensitivity of the incident.
The compromised system is the Homeland Security Information Network, or HSIN. DHS investigators are actively probing the intrusion. The hackers’ identity and whether any documents were actually taken from the system remain unknown. According to one of the sources, the breach is believed to have occurred sometime between late May and early June, and targeted both HSIN servers and a SharePoint system used for collaboration.
After this story was published, a DHS spokesperson confirmed the incident, saying the department “immediately took action to isolate the affected systems, mitigate the vulnerability, and launch a comprehensive forensic investigation.” The spokesperson added there is no indication that classified networks were affected, and that the system remains operational for partners.
HSIN is not a minor system. It carries unclassified but sensitive information shared across a wide network of partners, including federal, state, local, territorial, tribal, international and private-sector organizations. Users rely on it for a range of critical functions:
- Real-time communication and document sharing
- Alerts, web conferencing and incident management
- Exchanging information about persons of interest and potential threats
- Coordinating safety and security for major planned events
- Maintaining situational awareness during emergencies
The timing is particularly concerning. The U.S. is currently managing security for World Cup matches being held across the country, and HSIN is exactly the kind of platform federal, state and local officials use to coordinate during large international events. If hackers accessed information on the platform, they could potentially have gained insight into security planning, interagency coordination or response procedures surrounding one of the most high-profile events hosted on U.S. soil in years.
DHS’s Office of Intelligence and Analysis has already conducted a damage assessment of the intrusion, according to one of the sources. What exactly the hackers were looking for, or what they may have found, is still being determined.
This is not the first time HSIN has had security problems. In 2023, a contractor’s coding error caused an access misconfiguration that exposed restricted HSIN data to unauthorized users inside the platform. That error allowed sensitive information, including U.S. person data and personally identifying information, to be seen more broadly than intended. The full consequences of that earlier incident are still unclear, according to a third person familiar with the matter. Wired previously reported on that case.
The breach fits a pattern that U.S. officials have been warning about for years. Nation-state groups and criminal hackers routinely target government networks to collect intelligence, steal sensitive data, disrupt operations, or establish a foothold for future attacks. In February, a suspected China-linked breach of an FBI surveillance system likely exposed phone numbers of individuals being monitored by the bureau, according to previous Nextgov/FCW reporting.
Government information-sharing networks are attractive targets precisely because of what they contain: not classified secrets, but the kind of operational, day-to-day sensitive information that can reveal how agencies work, who they are watching, and how they respond to threats. A breach of HSIN does not have to involve top-secret data to cause serious damage.