Skip to main content

Department of Justice Statement on the intrusion into the Department’s Microsoft O365 email environment

In a statement issued January 6, 2021, the Department of Justice acknowledged that a global incident involved intrusion into the Department’s Microsoft O365 email environment and that this activity constituted a major incident under the Federal Information Security Modernization Act (FISMA).  After learning of the malicious activity, the Office of the Chief Information Officer eliminated the identified method by which the actor was accessing the O365 email environment and in accordance with FISMA, the department took steps to notify the appropriate federal agencies, Congress, and the public as warranted.

The Department of Justice understands that when victims make information public about the nature and scope of computer intrusions they suffered, others can use that information to prepare themselves for the next threat.  To encourage transparency and strengthen homeland resilience, today we are providing additional details about the intrusion in December 2020.  The following United States Attorneys’ offices had one or more employees’ Microsoft O365 email accounts compromised in connection with the incident affecting the U.S. government and the private sector:

  • Central District of California;
  • Northern District of California;
  • District of Columbia;
  • Northern District of Florida;
  • Middle District of Florida;
  • Southern District of Florida;
  • Northern District of Georgia;
  • District of Kansas;
  • District of Maryland;
  • District of Montana;
  • District of Nevada;
  • District of New Jersey;
  • Eastern District of New York;
  • Northern District of New York;
  • Southern District of New York;
  • Western District of New York;
  • Eastern District of North Carolina;
  • Eastern District of Pennsylvania;
  • Middle District of Pennsylvania;
  • Western District of Pennsylvania;
  • Northern District of Texas;
  • Southern District of Texas;
  • Western District of Texas;
  • District of Vermont;
  • Eastern District of Virginia;
  • Western District of Virginia; and
  • Western District of Washington.

The Department is responding to this incident as if the Advanced Persistent Threat (APT) group responsible for the Department's Microsoft O365 email environment breach had access to all email communications and attachments found within the compromised O365 accounts. The APT is believed to have access to compromised accounts from approximately May 7 to December 27, 2020.  The compromised data included all sent, received, and stored emails and attachments found within those accounts during that time.

While other districts were impacted to a lesser degree, the APT group gained access to the O365 email accounts of at least 80 percent of employees working in the U.S. Attorneys’ offices located in the Eastern, Northern, Southern, and Western Districts of New York.  The Executive Office for U.S. Attorneys has notified all impacted account holders and the Department has provided guidance to identify particular threats.  

The Department’s objective continues to be mitigating the operational, security, and privacy risks caused by the incident.

Updated October 12, 2022