(TNS) — One of the biggest data breaches in U.S. law enforcement history took place in June. Oh, what? Nobody told you. Not surprising. This is a humiliation of the highest order. Police aren’t releasing statements divulging it.
Most of the leaked data appears to have been stolen from so-called fusion centers, which meld local, state and federal intelligence officers into an intelligence-sharing consortium.
The spies got spied upon. And now some of what they know is out there for the world to see. Even though I’m The Watchdog, I’m not gloating. This is dangerous on so many levels and should never have happened. (Note that I’m not divulging individuals’ information here.)
Aside from the shock of information stolen from more than 200 police departments, it’s stunning how few people, even in law enforcement, know about this. The leak -- apparently done in sympathy with anti-police activists -- consists of 269 gigabytes worth of information. By my math, as an indicator, that’s the equivalent of about 182 million pages of texts. But these files contained videos, photos, spreadsheets and other file formats, too.
The doer apparently is the hacktivist collective Anonymous, partnering with a group called Distributed Denial of Secrets, nicknamed DDoSecrets. Twitter blocked their account, and Reddit removed its BlueLeaks forum. German authorities seized a server. But none of that stopped DDoSecrets. Try as authorities might to block it, the document dump is still out there.
An unsigned statement from the Texas Department of Public Safety stated it did not contract with the web company responsible for not patching vulnerabilities that led to the data leak. “We would refer you to the FBI as the lead agency of this investigation,” DPS stated in an email.
FBI spokesperson Lauren A. Hagee said, “The FBI does not confirm or deny the existence of investigations.”
A Targeted Police Department
The first time I visited the BlueLeaks site, I received a warning to beware because it could be a malicious site. I contacted my ace computer consultant, Scott Green of Philadelphia, for help.
As a precaution, he took one of my old laptops which I had given him and accessed the site that way. He found the files to be clean and started searching for files that might be relevant to you. Among the many, he found a couple that indicate what we’re talking about here.
The first is a spreadsheet of everyone who called Memorial Villages Police Department near Houston to ask for police monitoring of their home while they go on vacation. The data showed name, phone number, address, email, vacation start and stop dates, pet information, names of people allowed to visit while the homeowner is away, cars kept in the driveway and in the garage – in other words, much of what a criminal could use to get inside your life.
The second sheet Scott found is all the information given to police when signing up for a mandatory home alarm system: names, email addresses, mobile numbers, which parts of the house have video coverage, alarm company contact, gate access code, pet description, emergency contacts with phone numbers and IP address for that household.
On that list alone are 7,200 households.
Memorial Villages police didn’t return The Watchdog’s call.
Then with additional help, I found more personal data involving police officers, which I’ll tell you about.
But first, how did this happen? Some police departments and agencies use a Houston web development company called Netsential to handle data through individual portals. The hack came through that company.
“Netsential can confirm its web servers were recently compromised,” a company statement informs. “We are working with the appropriate law enforcement authorities regarding the breach. …. In as much as this is an ongoing investigation, and due to the sensitivity of client information, Netsential will provide no further statement while the matter is pending.”
It’s very difficult to search the data. There’s so much, and it’s not indexed. One reporter I know who tried to download the data told me it was so massive her laptop crashed.
DDoSecrets says the data includes police and FBI reports, security bulletins, law enforcement guides and more. In stories on tech websites about BlueLeaks, little has been said about how non-police citizens’ privacy has been violated, too. That’s because you need a high level of skill to drill through the data. Who has that skill? Criminals.
Local Police Listed
I received help from a second computer expert – a Hurst man who works as a programmer for a security company. He said his bosses didn’t want his name used.
The programmer contacted The Dallas Morning News about the all-too-quiet data breach.
“There’s so much to pore through,” he said. “You can’t do it manually.”
I asked if he found any files from North Texas, and he pulled up one to show me. He said he wouldn’t send it to me because that could be a crime, but through screen sharing on Zoom, I could see it.
It was a listing of the full roster of law enforcement officers from area police departments. Which ones? University of Texas at Arlington, Hood County sheriff, Saginaw, Fort Worth, Texas Department of Public Safety, Fort Worth federal marshals, Arlington, Tarrant County constables and Irving.
The spread sheet includes full name, job title, work phone, mobile phone, supervisor’s name, title and phone number, and a hashed password (actual password but letters are jumbled). It’s possible that this information was in data stored in fusion centers to be used in the event of police emergencies. Netsential worked with some fusion centers, but not all of them.
In one file, relating to what the programmer described as a police alliance of some kind, he said he found instructions showing how to enter their website and what key information was needed.
He said he called the alliance and told them. “They had no idea,” he said.
“Who was this?” I asked.
“ARIC,” he replied.
That’s the Austin Regional Intelligence Center, shared by Austin area police departments.
Spies being spied upon.
Using data on a spreadsheet showing Harris County homeowners’ vacation information, I began calling people on the list to ask if anyone had notified them of the breach. These conversations were awkward.
After introducing myself as a journalist and explaining that I was researching a massive police data breach, I told them that their name and information was included,
One man said, “I’m sorry. I think I need not to respond.” He hung up.
I told another man his email address, vacation dates, the name of his yard man and pool man, and even his vehicles. It was a lot to take in.
“Son of a gun,” the man said. “How on earth is this public?”
I told him about the Houston company.
“Holy moly,” he said “I appreciate the call informing me of this. Let me check it out.”
If you’ve ever signed up for vacation monitoring or paid an annual alarm permit to your local police department, your information could be included.
But don’t bother calling your local police and asking them. They likely won’t know the answer. There’s so much information out there that it’s a massive job to sort and find.
The programmer says his fantasy is to alert everyone involved so they know. I told him that’s likely hundreds of thousands of people across the U.S.
He said he realizes the impracticality of that. As a substitute, he suggests we change our alarm codes and any passwords that are too similar to one another.
“I really want to make a difference and help people,” the programmer said. “Let them know.”
Well, you did, and thank you.
©2020 The Dallas Morning News. Distributed by Tribune Content Agency, LLC.