US Marshals Service Suffers ‘Major’ Data Hack, Compromising Sensitive Information

US Marshals Service Suffers ‘Major’ Data Hack, Compromising Sensitive Information
Two U.S. Marshals stand on a building as they look out toward the city in a file photo. (Illustration - Elliott Cowand Jr/Shutterstock)
Katabella Roberts
2/28/2023
Updated:
2/28/2023
0:00

The United States Marshals Service (USMS) suffered a “major” security breach earlier this month when hackers broke into a computer system and accessed sensitive information about employees and investigative targets, officials confirmed on Feb. 27.

In a statement, a spokesman for USMS—which is responsible for apprehending and handling federal prisoners, pursuing fugitives, and operating the Witness Security Program—said the law enforcement agency discovered the hack and theft of data from its network on Feb. 17.

Spokesman Drew Wade told The Hill that the agency found that the “ransomware and data exfiltration event” had impacted a “stand-alone” system.

After discovering the breach, the Marshals Service “disconnected” the system and the Department of Justice began a forensic investigation, according to Wade.

“The affected system contains law enforcement sensitive information, including returns from legal process, administrative information, and personally identifiable information pertaining to subjects of USMS investigations, third parties, and certain USMS employees,” Wade said.

‘Major Incident’

Wade added that on Feb. 22 after the agency briefed senior DOJ officials about the breach, “those officials determined that it constitutes a major incident.”

An investigation into the breach is ongoing, Wade said.

NBC News reported that the incident did not impact the Witness Security Program, which was not breached, meaning no one in the program is at risk.
The latest hack came just days before the Department of Defense (DoD) said it was able to secure an open email server that had been inadvertently leaking internal military communications across the internet for roughly two weeks.

That leak, which was discovered by independent cybersecurity researcher Anurag Sen, impacted USSOCOM, also known as SOCOM, a unit within the DoD that oversees and coordinates special operations in various military branches, including the Army, Navy, Marine Corps, and Air Force.

According to reports, that leak was prompted by a misconfiguration with the DoD server that left it accessible with a password, meaning that the server could be accessed by anyone on the internet via the server’s IP address.

The server was part of an internal mailbox system that stored around three terabytes of military emails, including sensitive personal and health information of federal employees that were being vetted for security clearance.

Some of the data on the server dated back several years and was mainly related to USSOCOM.

Hacker Finds No-Fly List

Officials did not say if anyone other than Sen had accessed the exposed server and the data held on it before it was secured.

In an emailed statement to The Epoch Times, a DoD spokesperson said: “U.S. Cyber Command and Joint Force Headquarters-Department of Defense Information Network [JFHQ-DODIN] continue to work with affected DoD entities and the cloud service provider [CSP] to assess the scope and impact of this potential data exposure.

“The DoD chief information officer in coordination with JFHQ-DODIN is working with the CSP to understand the root cause of the exposure and why this problem was not detected sooner.”

The spokesperson added that any DoD personnel affected by the incident would be notified.

“DoD takes this matter very seriously and will incorporate all lessons learned from this event to strengthen its cybersecurity posture,” the spokesperson said.

Prior to the discovery of the exposed server, a hacker claimed she was able to access a version of the Transportation Security Administration’s (TSA’s) no-fly list on an unsecured server linked to the commercial airline company CommuteAir.

The TSA has said it was investigating a “potential cybersecurity incident” following the hacker’s claim.

The Epoch Times has contacted the U.S. Marshals Service for comment.