A Data Breach at the U.S. Marshals Service Revealed Prisoners' Personal Information
In the same way that law enforcement officers should be behavioral role models for regular citizens, law enforcement agencies should show both private and government organizations what to do and what not to do in various situations. Unfortunately, things don't always work out that way. The U.S. Marshals Service (USMS), for example, recently suffered a data breach, and it must be said that the agency's post-incident response has been less than ideal.
Hackers break USMS' servers and steal current and former prisoners' personal data
USMS is a part of the Department of Justice, and its main role is to catch fugitives and serve arrest warrants. Apparently, the personal data of the people who are taken into custody thanks to USMS' actions is logged and stored on a server. At some point last year, this server was compromised, and the data in it was stolen.
In late December 2019, the Justice Department informed USMS of the breach, and shortly after, the hole was plugged. Right now, USMS is in the process of identifying the affected former and current prisoners and informing them through the snail mail. They have every right to know about the incident because during the breach, the hackers siphoned off all the information they need to perpetrate identity theft. According to the notifications, the stolen database included people's names, dates of birth, Social Security Numbers, and home addresses. After being told about the breach, the affected individuals were informed about what they can do to protect themselves against identity theft.
USMS doesn't want to talk about the breach
USMS apparently had no intention of letting the population know about the data breach. It sent the letters out without announcing anything, and people learned about it only after some of the recipients shared photos of the notifications on social media. TechCrunch and ZDNet, the two news outlets that first wrote about the breach, asked USMS for further comments, but the government agency preferred not to disclose any further information.
There's a tangible lack of details around the incident, and it leaves quite a few questions unanswered. We don't know, for example, why it took USMS the better part of four months before it started informing the people affected by the data breach. The notifications themselves are not exactly overflowing with information, either. The letter doesn't say, for example, how many people were affected, what sort of server was used to store prisoners' personal details, or how and when the hackers broke in.
Government organizations should know better than anyone else that properly disclosing a data breach is not as simple as writing a brief notification and saying that people's privacy and security is taken seriously. Even if an investigation is ongoing, complete transparency is essential if the targeted company or institution is to maintain its trustworthiness in the eyes of the public. Unfortunately, in this particular case, transparency doesn't seem to be very high on USMS' priority list.