Cyber Incident Victim: Federal Prison Industries
Date:
Sep 2013
Location:
United States of America
Summary
Federal Prison Industries experienced unauthorized access to its public website, resulting in the theft of a user database containing hashed passwords and government email addresses, which was later traded on cybercrime forums. The breach was linked to vulnerabilities in ColdFusion web application software, prompting the organization to replace its website platform and conduct internal assessments. Limited individuals were notified as a precaution, though the incident was not publicly disclosed until after the data resurfaced. The compromised information included administrative accounts and appeared exclusively tied to the victim's domain, with no evidence connecting this intrusion to other contemporaneous attacks exploiting similar weaknesses.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In June 2015, a database containing over 23,000 user records with .gov email addresses surfaced on underground cybercrime forums, initially misrepresented as stolen from the Office of Personnel Management (OPM). Analysis revealed the data originated from Unicor.gov, the website of Federal Prison Industries (UNICOR), a U.S. government corporation using penal labor to provide goods and services to federal agencies. The database included hashed passwords and user account information, with early entries showing administrative accounts tied to unicor.gov domains, confirming UNICOR as the source. This breach was traced back to September 2013, when unauthorized access to UNICOR’s public website occurred. Attackers exploited vulnerabilities in Adobe ColdFusion, a web application platform widely targeted by hackers during that period for government and corporate intrusions. UNICOR discovered the intrusion at the time but did not publicly disclose it until contacted by KrebsOnSecurity in 2015 regarding the underground circulation of its data.
Following the 2013 breach, UNICOR replaced its website software to enhance security and conducted internal assessments with law enforcement to determine the incident’s scope. The organization concluded that only "limited individuals" were potentially impacted, issuing precautionary notifications to those affected without broader public disclosure. The stolen data resurfaced two years later, marketed alongside unrelated breaches, though no direct link was established between the UNICOR attackers and other contemporaneous compromises like the National White Collar Crime Center (NW3C) database theft. The NW3C intrusion, also involving ColdFusion exploits, had ties to cybercriminals operating the SSNdob identity theft service, which leveraged data from major brokers like LexisNexis. UNICOR’s incident highlighted risks associated with outdated web platforms, particularly within government entities, and underscored the delayed visibility of breaches when data reappears in criminal markets years after initial compromises.