US Marshals Service Breach Exposed Personal Data of 387,000 Prisoners

An anonymous reader quotes a report from Nextgov: The U.S. Marshals Service suffered a cyberattack that exposed the personal information of approximately 387,000 current and former prisoners at the end of last year, according to an agency official. “The attackers were able to exploit a vulnerability in the system to extract sensitive personally identifiable information on approximately 387,000 individuals,” a Marshals Service spokesperson told Nextgov. The spokesperson was referring to a system called DSNet, which is designed to house and transport prisoners within the agency, the federal courts and the Bureau of Prisons. Information extracted included names, addresses, birth dates and Social Security numbers.

Under the Federal Information Security Modernization Act, the data breach qualifies as a “major incident.” Justice and Marshals Service alerted the U.S. Computer Emergency Readiness Team, the FBI and Congress, in addition to the affected stakeholders, the spokesperson said, adding “USMS and the JSOC have taken numerous corrective actions to prevent future attacks, including comprehensive code review/correction and testing before returning DSNet to service.” The spokesperson said the affected individuals were only now being notified because of the time it took to gather their relevant information and identity and to line up the necessary assistance services. The notification letter advised the affected individuals their identity could be stolen and referred them to resources to freeze their credit and protect themselves from fraud.

ZDNet published a copy of the letter the Marshals Service sent to the affected individuals. TechCrunch’s Zack Whittaker first reported the breach on Friday,