Skip links

US Marshals Service leaks ‘law enforcement sensitive information’ in ransomware incident

The US Marshals Service, the enforcement branch of the nation’s federal courts, has admitted to a “major” breach of its information security defenses allowed a ransomware infection and exfiltration of “law-enforcement sensitive information”.

NBC broke news of the incident, which Marshals Service spokesperson Drew Wade described as having impacted a system that “contains law enforcement sensitive information, including returns from legal process, administrative information, and personally identifiable information pertaining to subjects of USMS investigations, third parties, and certain USMS employees.”

The incident took place on February 17th and was detected on the same day in a “stand-alone USMS system”.

The Register has asked the Service to confirm reports of the incident and to detail the nature of the attack, the duration of the incident, what remediations have been implemented, and whether systems have been restored.

We’ve also asked if the Service has attributed the source of the attack, and if so to whom.

The mention of “law enforcement sensitive information” is worrying as the USMS’s responsibilities include:

  • Providing for the security of federal court facilities and the safety of judges and other court personnel;
  • Apprehending criminals;
  • Exercising custody of federal prisoners and providing for their security and transportation to correctional facilities;
  • Executing federal court orders;
  • Seizing assets gained by illegal means and providing for the custody, management, and disposal of forfeited assets;
  • Assuring the safety of endangered government witnesses and their families.

You read that last point right: there’s a chance that data describing witness protection programs may have been compromised in this incident.

The incident adds another to a long list of recent, serious, breaches of US government security.

That shame file includes the 2015 leak of four million employee records and data describing millions more people from the Office of Personnel Management, plenty of SolarWinds-related attacks in 2020, the July 2021 breach of the Federal Courts, the Iranian use of the Log4J vulnerability to attack US government targets, and the compromise of the US Cyber Ambassador’s Twitter account in February 2023.

The United States government’s Cybersecurity and Infrastructure Security Agency (CISA) has issued plenty of guidance explaining how sibling agencies implement sound infosec practices.

Yet US government agencies have often struggled to implement guidance from Washington, as we discovered when NASA’s auditor reported that the space agency has not hit deadlines to develop a proper software asset management plan. ®