What happened
The Department of Homeland Security confirmed that hackers breached the Homeland Security Information Network, a sensitive information-sharing platform used by federal, state, local, international, and private-sector partners.
The intrusion reportedly occurred sometime between late May and early June and was carried out by an unknown threat actor. DHS is investigating the incident and has not publicly attributed the attack to a specific group or foreign government.
It remains unclear whether any documents were stolen from the system.
The attackers reportedly targeted HSIN servers and a SharePoint system used for collaboration. DHS’s Office of Intelligence and Analysis has conducted a damage assessment of the breach.
HSIN is used to share sensitive but unclassified information among approved partners. Users can access data, exchange requests with partner agencies, manage operations, coordinate safety and security for planned events, respond to incidents, and share critical information needed to protect communities.
The platform also supports real-time communication, alerts, incident management, and information sharing about persons of interest and potential threats.
DHS confirmed the incident to BleepingComputer and said it involved a specific unclassified legacy information-sharing environment. The department said it isolated the affected systems, mitigated the vulnerability, and launched a forensic investigation.
DHS said there is no indication that classified networks were impacted. The department also said the system remains operational for partners, though it declined to provide further operational details because the investigation is ongoing.
HSIN previously suffered a separate security incident in 2023, when an access misconfiguration linked to a contractor coding error exposed restricted data within HSIN-Intel. That earlier incident involved permissions being set too broadly, exposing sensitive U.S. person data and other personally identifiable information to HSIN users.
Who is affected
DHS and approved HSIN users are directly affected, including federal, state, local, international, and private-sector partners that use the platform for information sharing and coordination.
The practical impact depends on what, if anything, was accessed or stolen. DHS has not confirmed whether documents were exfiltrated.
The incident is also relevant to agencies and organizations that rely on HSIN for real-time alerts, incident management, safety coordination, security planning, and information sharing about persons of interest or potential threats.
Classified systems are not believed to be affected, according to DHS.
Why CISOs should care
This incident highlights the risk surrounding sensitive but unclassified collaboration environments. These systems may not hold classified information, but they can still contain operationally sensitive data, partner communications, incident response information, threat reports, and security planning material.
For CISOs, the SharePoint component is especially relevant. Collaboration platforms often become high-value targets because they centralize documents, access permissions, workflows, and cross-organizational coordination.
The incident also reinforces the importance of legacy environment governance. DHS described the affected system as an unclassified legacy information-sharing environment, which should prompt security leaders to review older collaboration platforms for exposure, access control weaknesses, logging gaps, and patching issues.
The timing also matters because HSIN supports operational coordination. If attackers accessed planning documents, alerts, or partner communications, the risk could extend beyond data exposure into operational security and trust between agencies and external partners.
3 practical actions
- Review access controls for sensitive collaboration platforms: HSIN is used by many government and partner organizations to share sensitive but unclassified information. CISOs should verify that collaboration systems enforce least privilege, strong authentication, and appropriate partner access boundaries.
- Audit legacy information-sharing environments: DHS described the affected system as a legacy environment. Security teams should identify older portals, SharePoint sites, partner exchanges, and document repositories that may have weaker monitoring, outdated configurations, or unmanaged external access.
- Prepare damage assessment playbooks for shared platforms: DHS’s Office of Intelligence and Analysis conducted a damage assessment. Organizations should have procedures to quickly determine what files, messages, alerts, partner records, or operational plans may have been accessed after a collaboration platform breach.
John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.

