Sensitive information for members of Congress and their staff and family members has been exposed in a data breach, according to House leaders. The FBI was able to purchase leaked information from health insurance marketplace DC Health Link on the dark web, House Speaker Kevin McCarthy and House Minority Leader Hakeem Jeffries wrote in a letter.

The data included the names of enrollees’ spouses, dependent children, social security numbers and home addresses, according to the letter. “This breach significantly increase the risk that members, staff and their families will experience identity theft, financial crimes and physical threats — already an ongoing concern,” it reads.

McCarthy and Jeffires said the FBI hadn’t yet determined the size and scope of the breach, though they indicated that the impact on “House customers could be extraordinary.” They noted that thousands of House members and employees from throughout the country have signed up for health insurance through DC Health Link since 2014.

“Fortunately, the individuals selling the information appear unaware of the high-level sensitivity of the confidential information in their possession, and its relation to Members of Congress,” the House leaders wrote. “This will certainly change as media reports more widely publicize the breach.”

“Currently, I do not know the size and scope of the breach, but have been informed by the Federal Bureau of Investigation (FBI) that account information and [personally identifiable information] of hundreds of Members and House staff were stolen,” Catherine L. Szpindor, the House of Representatives’ chief administrative officer, wrote in a letter to colleagues. Reports suggest that the data also includes details on senators and their staff, but that information was seemingly limited to their names and those of family members.

DC Health Link operator DC Health Benefit Exchange Authority said it has opened an investigation. “We are in the process of notifying impacted customers and will provide identity and credit monitoring services,” it told NBC News in a statement. The FBI has confirmed it’s aware of the incident, while Capitol Police are assisting the agency with its investigation.

A member of a dark web forum reportedly claimed this week that they had data on 170,000 DC Health Link customers and were willing to sell the information. They later said the information had been sold.

“We’re gonna continue to work on this issue in a bipartisan way, get to the bottom of what happened, figure out the implications of what has occurred,” Jeffries said at a press conference on Thursday. “And also we’re gonna need some real reassurance as to guardrails that are put in place to prevent this type of data breach from ever happening again.”

Source: www.engadget.com