Arlington Virginia firm Miracle Systems is currently under investigation by the US Secret Service after information it held on sensitive was found for sale on the dark web. the company holds multiple ISO certifications, including ISO 9001, ISO 20000 and ISO 27001, issued by AFNOR.

According to reporting by Krebs on Security, the information included “credentials and databases managed by” Miracle Systems, and was being auctioned for illegal use on the “cybercrime underground“:

The seller bragged that he had access to email correspondence and credentials needed to view databases of the client agencies, and set the opening price at six bitcoins (~USD $60,000).

The ISO 20000 certification would have alleged to certify Miracle Systems’ “IT service management system,” and the ISO 27001 would have specifically covered the company’s “information security management system.” The latter certification is supposed to provide confidence that events such as a data breach of this magnitude cannot happen.

The company also holds CMMI maturity level 3 for the CMMI-SVC model, applicable to IT service companies, with a “service system development” (SSD) add-on. The company’s last appraisal was in December of 2016, and would therefore be expiring in December of this year.

The ISO certifications were all issued by AFNOR, a French certification body typically accredited by COFRAC; however, US audits for AFNOR are conducted by a firm called BQS, and it was not immediately clear what accreditation body holds authority over the US operations. Representatives of AFNOR North America did not immediately reply to a request for clarification on this point.

It is likely that no matter which Accreditation Body is involved, it is a member of the International Accreditation Forum (IAF).

According to the Krebs article, Miracle Systems is cooperating with the Secret Service investigation, even as it faces potential criminal charges should the US government find Miracle either intentionally leaked the information, or was negligent in protecting it.

ISO certifications have been found to have been granted to many companies involved in similar scandals or breaches. The massive data breach at credit monitoring company Equifax occurred while the company held ISO 27001 certification issued by an Ernst & Young division, despite the fact that another E&Y firm conducted auditing of the company’s financial practices.

PCM Technology Solutions was also hit with a cyberattack despite holding an ISO 27001 certificate attesting to its information security management; that certificate was issued by the British certification body ACS Registrars.