U.S. Marshals Service investigating ransomware attack, data theft

The U.S. Marshals Service (USMS) is investigating the theft of sensitive law enforcement information following a ransomware attack that has impacted what it describes as "a stand-alone USMS system."

USMS is a bureau within the Justice Department that provides support to all elements of the federal justice system by executing federal court orders, seizing illegally obtained assets, assuring the safety of government witnesses and their families, and more.

The federal law enforcement agency told NBC, which first reported the story, that the stolen data included employees' personally identifiable information.

Spokesperson Drew Wade said the USMS discovered the "ransomware and data exfiltration event affecting a stand-alone USMS system" on February 17.

"The affected system contains law enforcement sensitive information, including returns from legal process, administrative information, and personally identifiable information pertaining to subjects of USMS investigations, third parties, and certain USMS employees," Wade added.

The compromised system is now disconnected from the USMS network, and the attack is currently under active investigation as a "major incident."

According to sources close to the incident, the attackers did not gain access to USMS' Witness Security Files Information System (aka WITSEC or the witness protection program) database.

A USMS spokesperson was not immediately available for comment when contacted by BleepingComputer earlier today for more details regarding the incident.

Personal info of 387,000 prisoners stolen in 2020 breach

This follows another data breach disclosed in May 2020 after the U.S. Marshals Service exposed the details of over 387,000 former and current inmates in a December 2019 incident, including their names, dates of birth, home addresses, and social security numbers.

The security breach was discovered after one of USMS' public-facing servers, part of a system called DSNet that helps facilitate the housing and movement of prisoners, was compromised.

In related news, the U.S. Federal Bureau of Investigation (FBI) also disclosed a cybersecurity incident two weeks ago.

The FBI is now investigating malicious cyber activity on the agency's network that was part of a now-contained "isolated incident."

"This is an isolated incident that has been contained. As this is an ongoing investigation the FBI does not have further comment to provide at this time," a spokesperson told BleepingComputer at the time.