Hackers Breach DHS Network Used to Coordinate Major Event Security

Federal investigators are probing a breach of the U.S. Department of Homeland Security platform that tens of thousands of law enforcement, emergency management and private sector officials rely on to exchange threat intelligence and coordinate security for major events.
See Also: Beat the Breach: Outsmart Attackers and Secure the Cloud
A department spokesperson acknowledged “a recent cyber incident involving a specific, unclassified legacy information sharing environment.” The department isolated affected systems, mitigated the underlying vulnerability and launched a forensic investigation, the spokesperson said. There is no indication classified networks were affected and the platform remains operational, the spokesperson also said.
The Homeland Security Information Network is the department’s system for exchanging sensitive but unclassified information across federal, state, local, tribal, territorial, international and private sector partners. Approved users lean on the platform to manage operations, coordinate safety and security around planned events, respond to incidents and share data across dedicated communities spanning law enforcement, intelligence, emergency services and critical infrastructure.
The intrusion reportedly occurred between late May and early June and targeted HSIN servers, along with an associated SharePoint environment. Federal investigators have not publicly attributed the activity to any actor, and it remains unclear whether any data was exfiltrated from the system.
Sen. Mark Warner, D-Va., vice chair of the Senate Select Committee on Intelligence, said in a statement that he was “deeply concerned by the recent revelation of a compromise” of the network, which he noted has connected law enforcement and Homeland Security partners for more than two decades.
“The information in HSIN, while not classified, is highly sensitive, and its exposure risks national security,” Warner said. He called on DHS and the Department of Justice to determine who breached the platform and what the attackers accessed, and to ensure partners receive timely information and tools to mitigate downstream risks.
Analysts say the platform is actively sharing intelligence in support of safety and security operations for the FIFA World Cup, America250 and other major events. First responders used it to manage the response to the January 2025 midair collision between an American Airlines regional jet and an Army Black Hawk helicopter over Washington.
HSIN traffic can include event security plans, suspicious activity reporting, alerts, information about persons of interest and the day-to-day operational picture shared among agencies during emergencies. An intruder with sustained access could potentially map how agencies communicate and gain insight that could support spear-phishing campaigns, impersonation of trusted partners or broader intelligence collection.
HSIN grew out of the post-9/11 push to break down information silos between federal, state and local authorities. How the attackers got in remains unanswered, and DHS did not respond to ISMG’s questions regarding the specific security failures that led to the breach.
The platform has faced security problems before, including in 2009 when DHS officials confirmed that intruders twice accessed HSIN through a compromised account belonging to a federal employee or contractor. The threat actors managed to access files containing contact information for state and federal personnel, which led DHS to roll out basic cyber hygiene requirements, including two-factor authentication on certain accounts.
