Much like the incident in Texas in 2019 that saw multiple government agencies from around the state breached, a massive breach of law enforcement agencies from all over the United States can be traced back to a shared third-party vendor. The data dump, which contains 269 GB of police files from both local agencies and the FBI, has been tied to a breach at Houston-based web services company Netsential.
The contents of the BlueLeaks data dump
The data dump has exposed sensitive information from what appears to be hundreds of agencies located in various parts of the United States. The police files consist of all sorts of sensitive internal communications: emails, reports, bulletins and apparently even some payment documents that contain bank account and routing numbers.
The police files were released to the internet by a Wikileaks-like hacktivist group calling itself “Distributed Denial of Secrets” (DDoSecrets). The group posted the contents of the data dump to a searchable web portal and announced it to the public via a Twitter account (which has since been deactivated).
DDoSecrets claimed that the hacktivist group Anonymous was responsible for the data dump, but this does not exactly paint a clear picture of who was actually behind it. Anyone can use the Anonymous mantle, and many different (and unrelated) factions do. There are a number of different Anonymous accounts on Twitter, for example, and most of these did not claim any responsibility for or association with the breach or the publication of the police files.
The files reportedly contain communications related to the series of police misconduct protests that followed the death of George Floyd, which appears to have been the main reason for the data dump. However, they also contain at least ten years of data from over 200 police departments, fusion centers and other law enforcement training and support resources. The oldest documents in the data dump are dated from August 1996.
The authenticity of the data dump was verified by both cybersecurity journalist Brian Krebs and the National Fusion Center Association, the central organization that facilitates the transfer of records and intelligence between different law enforcement agencies throughout the country.
Centralized access to police files?
As with the breach in Texas roughly one year ago that compromised a variety of local government agencies throughout the state, a shared vendor was the single point of compromise.
Netsential is a web services company that contracts with various government and law enforcement agencies throughout the country. The company appears to focus on web design for public-facing sites, which raises questions about how it had access to all of these sensitive police files.
Netsential confirmed that there was a breach, and said that it likely stemmed from a compromised user account which then gained further access to the internal network by compromising its file upload system.
Public company profiles and financial information indicate that Netsential is a small company. Information is mixed, but public reports indicate that the company has somewhere between 5 and 40 employees and annual revenue of between half a million to 8 million dollars. It is unclear if the company had some sort of tunnel into client systems by which this information could be exfiltrated, or if the contents of the data dump were simply sitting somewhere on their servers. Whatever the case, the information was clearly unencrypted.
Colin Bastable, CEO of Lucy Security, commented: “The Netsential website is barebones right now, but checking out the Wayback Machine for the Netsential website shows a consistent typo: “Netsential builds sites with as much or as customer involvement that is desired.” For me that would be a red flag – a sign that I should take a closer look at the company, especially since Netsential advertises the fact that the FBI and DoJ are customers. My point being that Fusion Centers were set up as a Homeland Security initiative post-9/11 in order to facilitate information sharing at all levels of law enforcement – an obvious target for China, Russia, Iran or organized crime.”
The real victims?
While Anonymous and DDoSecrets are framing this as a move made in solidarity with “Black Lives Matter” and similar police reform protests, it appears that the data dump contains a good deal of highly sensitive information about crime victims and subjects of investigations. The information is also not limited to American organizations or subjects. The front page of the DDoSecrets indicates that there is information about citizens of 254 countries including thousands from the tiny Seychelles islands as well as Mexico, Honduras and Canada. The data dump also appears to contain tens of thousands of driver’s license numbers and scans, dates of birth and home addresses among other pieces of sensitive data. DDoSecrets spokesperson Emma Best claims that the group attempted to scrub files for sensitive personal information before release but that they “probably missed things.” Twitter has banned the sharing of URLs leading to the information given that it could cause harm to individuals.
Ilia Kolochenko, Founder & CEO of web security company ImmuniWeb, notes that the leaked data could prove to be more damaging to innocent citizens and undercover law enforcement agents than it is to problematic police officers: “The eventual outcome of this leak will likely have disastrous effects for many innocent people. First, it will likely inflict irreparable reputational, financial and even physical harm to suspects and people charged with crimes who later were acquitted in a court of law.
Furthermore, it will jeopardize legally protected people, like witnesses, who helped investigators convict dangerous criminals. The disclosure will now literally cause the death of the witnesses if their identity is revealed to the criminals or their bloodthirsty accomplices.”
Wired reporting indicates that the police files did contain some information on tracking of and response to the ongoing protests, however. Internal reports indicate that police in some areas are monitoring social media accounts of protesters for anti-police messages, and are also attempting to track Bitcoin donations to groups associated with the protests. The internal memos also indicate that there is at least some credence to the theory that white supremacist groups may be posing as “Antifa” to incite violence at protests.
The information appears to mostly come from state fusion centers that coordinate at a regional level, but some files come from a private FBI coordinator called Infragard and several FBI Academy alumni associations.
The ongoing problem of vendor compromise
There have been numerous and ample warnings about the issue of vendor compromise in recent years prior to this leak of police files, but this may finally be the one to spur increased government action at the state and local level. The Department of Defense recently implemented a new cybersecurity certification model for vendors, something that domestic law enforcement may need a federally mandated equivalent of.
Pulse Secure Global Chief Security Architect Mike Riemer suggests that “zero trust” policies should be implemented immediately in the wake of this breach: “Despite the fact that poor security practices among contractors often result in larger breaches like this one, which included data from over 200 law enforcement agencies, reliance on third-party entities to manage data and digital services continues to grow in the government sector. The only way to immediately begin mitigating this risk is through a Zero Trust framework, which requires thoroughly vetting all users, devices and applications before they have access to sensitive data, which extends to outside vendors.”