U.S. Marshals Service Breach Exposed Personal Data of 387,000 Prisoners

MikeDotta/Shutterstock

The agency notified affected individuals this month after learning about the intrusion in December.

The U.S. Marshals Service suffered a cyberattack that exposed the personal information of approximately 387,000 current and former prisoners at the end of last year, according to an agency official.

“The attackers were able to exploit a vulnerability in the system to extract sensitive personally identifiable information on approximately 387,000 individuals,” a Marshals Service spokesperson told Nextgov. 

The spokesperson was referring to a system called DSNet, which is designed to house and transport prisoners within the agency, the federal courts and the Bureau of Prisons. Information extracted included names, addresses, birth dates and Social Security numbers.  

Reports of the breach first surfaced on Friday, and cited notification letters the Marshals Service sent to the affected individuals. ZDNet published a copy of the letter, dated May 1, and linked to comments from concerned parties on Twitter.

“On December 30, 2019, the United States Marshals Service (USMS) Information Technology Division (ITD) received notification from the Department of Justice, Security Operations Center (JSOC) of a security breach affecting a public-facing USMS server that houses information pertaining to current and former USMS prisoners,” the letter reads. “You have been identified as an individual whose personally identifiable information (PII) may have been compromised as a result of this breach.”  

The agency spokesperson confirmed the date of the incident, and said JSOC was able to detect the intrusion due to a new cybersecurity monitoring tool.

Under the Federal Information Security Modernization Act, the data breach qualifies as a “major incident.”

Justice and Marshals Service alerted the U.S. Computer Emergency Readiness Team, the FBI and Congress, in addition to the affected stakeholders, the spokesperson said, adding “USMS and the JSOC have taken numerous corrective actions to prevent future attacks, including comprehensive code review/correction and testing before returning DSNet to service.”

The spokesperson said the affected individuals were only now being notified because of the time it took to gather their relevant information and identity and to line up the necessary assistance services.

The notification letter advised the affected individuals their identity could be stolen and referred them to resources to freeze their credit and protect themselves from fraud.