Data Breach Notification: Islamic State Human Resources & Recruiting

RE: NOTICE OF A DATA BREACH

Dear Brother:

Islamic State regrets to inform you that sometime on or about 14 December 2015, a trusted member of our organization violated your privacy and exposed your personal recruitment details to international law enforcement and military operatives.

We regret this incident, and wish extend our most sincere apologies. This letter will explain the situation in detail, as well as the steps we are taking to improve security going forward.

What Happened?

Sometime on or about 14 December 2015 a member of our organization, Abu Hamed, stole a USB drive containing confidential IS information on its members and their personal histories.

The USB drive was stolen from the head of our internal security police during a conference in Turkey. We’ve approximated that some 22,000 records were compromised during this treacherous act.

What Information Was Involved?

The files on the drive contain your recruitment application and questionnaire.

The data exposed by the traitor includes: Your name (and fighter name if appropriate); mother’s maiden name; blood type; date of birth; marriage status; address at the time of recruitment; education level; the level Sharia understanding you possessed at the time of recruitment; details on your previous job (Jihad-based) prior to recruitment; a list of countries you’ve traveled to or through; and the area you entered from during the recruitment process.

In addition, select forms contained some or all of the following information: Your sponsor’s name, the date you entered recruitment; previous fighting experience (Jihad-based); any special skills; current place of work during the recruitment process; the security deposit status and amount; level of obedience; contact numbers; and if applicable – your date of death.

NOTICE: Some forms contained personal notes from IS staff members and management, these notes could contain additional personal information or details.

IS has determined that no financial information, such as credit card or banking details were exposed during this incident. In addition, for those applicants in the United States, your Social Security Number was not listed on the stolen records.

What steps are we taking?

Unfortunately, we cannot work with law enforcement on a local or international scale due to various regulatory complications. We have attempted to contact an outside security firm to assist in our investigation, but at this point, none of the more reputable firms have returned our calls.

We will continue to seek additional security assistance, but in the meantime we have adopted a new policy.

(1) Human Resources and Recruitment will undergo regular audits to ensure that all USB drives are accounted for and that any laptops or personal devices housing recruitment data are secured inside a locked desk drawer.

Given the state of operations, we have been unable to contact most of you directly, but it is our hope that this notification reaches you with due haste. If it doesn’t and you are contacted by nation-state actors or law enforcement first, we once again offer our sincere apologies for this incident.

What can you do?

For those of you who receive this notification in time, we are pleased to offer you 24 months of identity theft protection and credit monitoring. We have partnered with a reputable firm in North Carolina (1st SFOD-D) to handle all applications for this valuable assistance. You may contact them directly, simply provide your name, location, and inform them you were one of our members exposed during this incident. They’ll take it from there.

For more information:

IS takes your privacy and security very seriously, and once again we wish to apologize for this embarrassing incident. We want you to be kept informed of this situation, so we’ve arranged continuous coverage on Sky News. All current updates on this situation will be posted to their website:

https://news.sky.com/story/1656777/is-documents-identify-thousands-of-jihadis

Salted Hash would like to give a tip of the hat to Jessy Irwin and Jonathan Ździarski for unintended encouragement in the development of this notification letter.