A treasure trove of police data titled “BlueLeaks” was hacked from multiple “fusion centers” that act as information-sharing hubs for local, state, and federal law enforcement agencies across the nation and released on the Internet on Friday.
The data was supposedly stolen by the Anonymous group, and it was released in a searchable database by a group called Distributed Denial of Secrets (DDOSecrets) on June 19.
DDOSecrets founder Emma Best told Wired that the hacked files included more than a million emails, audio, video, and intelligence files from more than 200 different police departments.
“It’s the largest published hack of American law enforcement agencies,” Best told Wired in texts. “It provides the closest inside look at the state, local, and federal agencies tasked with protecting the public, including [the] government response to COVID and the BLM protests.”
The leaked files actually span a 24-year period – from August of 1996 through June 19 of this year, according to KrebsOnSecurity.
But the names, emails, addresses, and phone numbers of individual officers that were leaked weren’t even the worst part of the hack.
“Our initial analysis revealed that some of these files contain highly sensitive information such as ACH routing numbers, international bank account numbers (IBANs), and other financial data as well as personally identifiable information (PII) and images of suspects listed in Requests for Information (RFIs) and other law enforcement and government agency reports,” according to a report by the National Fusion Center Association (NFCA) that was obtained by KrebsOnSecurity.
The NFCA report said the data was stolen from Netsential, a Houston-based company that acted as a hub for fusion centers.
“Preliminary analysis of the data contained in this leak suggests that Netsential, a web services company used by multiple fusion centers, law enforcement, and other government agencies across the United States, was the source of the compromise,” the NFCA wrote. “Netsential confirmed that this compromise was likely the result of a threat actor who leveraged a compromised Netsential customer user account and the web platform’s upload feature to introduce malicious content, allowing for the exfiltration of other Netsential customer data.”
Best claimed that the data in DDOSecret’s database reveals controversial practices by law enforcement and the tone of discussions about groups like Antifa, Wired reported.
“The underlying attitudes of law enforcement is one of the things I think BlueLeaks documents really well,” she wrote in text messages. “I’ve seen a few comments about it being unlikely to uncover gross police misconduct, but I think those somewhat miss the point, or at least equate police misconduct solely with illegal behavior. Part of what a lot of the current protests are about is what police do and have done legally.”
Best pushed back on criticism that the BlueLeaks data dump included bank account numbers, routing numbers, and personally identifiable information, Wired reported.
She claimed DDOSecrets scrubbed the data prior to its released.
“Due to the size of the dataset, we probably missed things,” Best admitted to Wired. “I wish we could have done more, but I’m pleased with what we did and that we continue to learn.”
But she said they intentionally included the financial information in the database.
“The potential of the data, especially in the long run and when correlated with other datasets, outweighs any downsides to allowing the public to examine it,” Best explained to Wired.
She compared BlueLeaks to the 2011 Anonymous hack by Jeremy Hammonds, in which data was stolen from police to support Occupy Wall Street protesters.
Hammonds is still serving a 10-year sentence for hacking crimes, according to Wired.