US Marshals Ransomware Hit Is 'Major' Incident

Unknown attackers made off with a raft of PII, the Justice Department says — but witnesses in the protection program are still safe.

flags of United States Marshals Service and USA painted on cracked wall
Source: Daniren via Alamy Stock Photo

The US Marshals Service (USMS), which is tasked with hunting down fugitives and administering the Witness Security Program, was hit with a "major" ransomware incident and data breach in mid-February, officials said.

Despite the ransomware element, USMS's fugitive-hunting operations have continued in the wake of the cyberattack, officials said. However, on Feb. 17, unidentified cyberattackers absconded with a treasure trove of important data, according to Drew Wade, a Justice Department spokesperson.

"The affected system contains law enforcement sensitive information, including returns from legal process, administrative information, and personally identifiable information [PII] pertaining to subjects of USMS investigations, third parties, and certain USMS employees," he told NBC News.

Meanwhile, the outlet cited unnamed sources within the DoJ as confirming that the Witness Security Program (known as the "witness protection program" in films and TV) was not affected.

The attack impacted a "standalone USMS system," Wade said, which was quarantined from the rest of the network. Even so, the incursion should be seen as a "major incident,” he added.

A concrete motive for the attack and the culprits behind it may emerge over the course of the investigation, but targeting the PII could be a prelude to a broader cyber offensive, according to Lior Yaari, CEO and co-founder of Grip Security.

"The US Marshals data breach is another example of how cybercriminals aim for identities — the most common threat target," he says, noting that the data in general would be valuable to a wide range of attacker types. "In this case, attackers were able to exfiltrate and add to the identity fabric for individuals in the USMS system, including prisoners. Compromised identities give cybercriminals an embedded position in identity fabric, thereby extending their presence anywhere and everywhere the identity goes."

About the Author

Tara Seals, Managing Editor, News, Dark Reading

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights