The Washington, D.C. Metropolitan Police Department experienced a significant data breach in April 2021. A devastating ransomware-based attack on their network culminated in a massive data leak. Hundreds of intelligence reports were among the more than 250 GB of material that the attackers allegedly stole, some of which they then started to post on the dark web.

According to the New York Times, a hacking organization known as Babuk stated on their website that they were responsible for the attack. In the event that a ransom was not paid, the group threatened to make public the identities of police informants and other critical information. The group has already made certain information available on the dark web, including reports from the police chief, departmental arrest records, and names of people of interest.

In contrast to other ransomware attacks, in which the hackers threaten to erase data, Babuk uses extortion and threatens to reveal confidential information if its demands are not fulfilled. The New York Times reports that since the beginning of 2021, at least 26 government agencies have been infected by ransomware, 16 of which were extortion assaults.

This kind of attack is a law enforcement agency's worst fear, and it happens far too frequently. Ransomware assaults increased by over 95% in 2023 compared to the previous year, targeting a number of US government entities, the Dallas Police Department, and Stanford University's Department of Public Safety.

Washington Metropolitan Police Department chief Robert Contee speaks during a news conference in Washington. April 2, 2021. Photo by the Associated Press.

CJIS: the FBI's Criminal Justice Information Services  

In an effort to curb rising attacks, the FBI has updated its CJIS Security Policy, requiring firms to deploy Multi-factor Authentication (MFA) on all systems and applications that contain and access Criminal Justice Information (CJI). The goal is very clear: Ensure that only those who are allowed to examine CJI, including arrest records and digital evidence, can access it. Usernames and passwords are incredibly easy for hackers to compromise– implementing MFA requires providing an additional layer of proof users are who they say they are. 

Authentication factors typically include 

Something You Know 

Password                 PIN                               Security Code 

Something You Have 

Smart card               Mobile Device               Security Key/Token 

Something You Are

Fingerprint               Facial/Iris Scan              Other Biometrics 

Understanding and implementing Multi-Factor Authentication may seem complex, however the experience is surprisingly user friendly. Read our article for a breakdown of MFA or for information on how implementation can work.   

Complying with the October 1, 2024 Mandate  

Organizations storing and using Criminal Justice Information must have established multi-factor authentication (MFA) employing at least two of the above factors by October 1, 2024. In addition to financial penalties, noncompliance with the new CJIS rules may result in the denial of access to the FBI's CJIS data and resources.

Authenticator Assurance Level 2 (AAL2), also known as phishing-resistant MFA, is strongly recommended in the CJIS protection Policy. It provides an additional layer of protection by mandating that one of the authentication factors be a physical one (i.e., something you own). Phishing-resistant multi-factor authentication is highly recommended for enhanced security without significantly increasing costs or disrupting ongoing operations, even though it is not mandatory to meet CJIS criteria.

Our most recently published post details the Three Best Ways to Implement MFA and Gain CJIS compliance. Read this article to learn more about the pros, cons, and user experience of 1) using an ID card as a “key” 2) using mobile devices for MFA and 3) implementing FIDO and PKI enabled USB security keys. To learn more about CJIS, check out our landing page for additional information.