The U.S. Marshals Service (USMS) is investigating a ransomware attack that occurred last month and resulted in a “data exfiltration event.”
A threat actor is now claiming to be selling hundreds of gigabytes of data allegedly stolen from USMS servers on a Russian-speaking hacking forum for $150,000.
The information reportedly includes aerial footage and photos of military bases and other high-security areas, copies of passports and identification documents, details on wiretapping and surveillance of citizens, and information on convicts, gang leaders, and cartels.
Some files are also allegedly marked as SECRET or TOP SECRET, and the database is said to include details about witnesses in the witness protection program.
USMS spokesperson Drew Wade confirmed that the ransomware attack was a “major incident” that included the theft of personally identifiable information of USMS employees, subjects of USMS investigations, third parties, and certain USMS employees.
However, sources close to the incident reported that the attackers did not gain access to the USMS’ Witness Security Files Information System (WITSEC), also known as the witness protection program database.
This is not the first time USMS has experienced a data breach.
In May 2020, the agency disclosed that it exposed the details of more than 387,000 former and current inmates in a December 2019 incident, including their names, dates of birth, home addresses, and social security numbers.
The recent ransomware attack and data exfiltration event at USMS follows a cybersecurity incident disclosed by the U.S. Federal Bureau of Investigation (FBI) two weeks ago. The FBI described this incident as a now-contained “isolated incident.”