GEO said it was sending data-breach notification letters to all affected individuals, but the company was unaware of any fraud or misuse of the information.
GEO owns or operates 123 facilities with a total of around 93,000 beds and about 23,000 employees in the U.S., U.K. and South Africa.
In a ransomware attack, criminal hackers penetrate a computer system and encrypt vital data. The system’s user is then offered the encryption key in exchange for payment, generally using Bitcoin or another cryptocurrency.
The ransomware attack on GEO compromised data for prisoners at South Bay Correctional and Rehabilitation Facility in Florida, a Pennsylvania youth facility and a now-closed facility in California, as well as employee data on two corporate servers.
The data include medical treatment information, which is private under federal law, and information that could be used in identity theft such as name, date of birth, and Social Security number. GEO worked with law enforcement and cybersecurity firms to investigate the attack.
In a document filed with the U.S. Securities and Exchange Commission, GEO said it was able to recover “critical operating data,” but did not explain whether this involved paying a ransom or the use of backup files. Also unexplained was why GEO waited 76 days to inform people that their data had been compromised.
As a digital subscriber to Prison Legal News, you can access full text and downloads for this and other premium content.
Already a subscriber? Login