Cyber attackers breached ODIN Intelligence’s internal servers to steal data that included both internal company information and data uploaded by police department clients. The leak exposed police plans for to-be-launched raids, as well as information on suspects, victims, convicted sex offenders and people who may be in the vicinity of raids, according to TechCrunch.
“The breach raises questions about ODIN’s cybersecurity but also the security and privacy of the thousands of people — including victims of crime and suspects not charged with any offense — whose personal information was exposed,” TechCrunch writes.
ODIN Intelligence provides police departments will services like Sex Offender Need Assessment Rating (SONAR), a system that local and state law enforcement use to remotely monitor registered sex offenders, and SweepWizard, an app police use for coordinating and planning raids. Transparency organization Distributed Denial of Secrets (DDoSecrets) received the data, which it is providing to journalists and researchers. DDoSecrets states that it has 19 GB of information from ODIN Intelligence and SweepWizard, while an ODIN notice of data breach described a theft of 16GB.
This past weekend, cyber attackers hacked ODIN and defaced its websites. Attackers also published what they said were ODIN’s Amazon Web Services (AWS) private keys — enabling access to data the company’s stored on the cloud — and said it “shredded” the company’s backups after exfiltrating, per TechCrunch. DDoSecrets co-founder Emma Best told Tech Crunch that the perpetrators go under the group name “All Cyber-Cops Are Bastards.”
While some stolen files reportedly were marked as “tests” and filled out with blatantly fake details (such as officers named “Superman”), others describe real monitoring and tactics. The collection includes “a large amount of personal information about individuals, including the surveillance techniques that police use to identify or track them,” per TechCrunch.
The leaked information reportedly includes details like the names and home addresses of registered sex offenders, per TechCrunch. Other data includes the “full contents” of one individual’s phone, which police had obtained as part of a compliance check on the owner, who was on probation.
ODIN CEO Erik McCauley states in the data breach notice that “the data accessed included personal information such as names, locations, height, weight, eye color, age, and social security numbers in ongoing operations where SweepWizard and other ODIN systems have been used.”
TechCrunch found that “the data included dozens of folders with full tactical plans of upcoming raids, alongside suspect mugshots, their fingerprints and biometric descriptions and other personal information, including intelligence on individuals who might be present at the time of the raid, like children, cohabitants and roommates, some of whom are described as having ‘no crim[inal] history.’ Many of the documents were labeled as ‘confidential law enforcement only’ and ‘controlled document’ not for disclosure outside of the police department.”
ODIN had recently received warning about issues with its SweepWizard product. WIRED found that the app “had been leaking a trove of confidential details about the operation to the open Internet,” the publication wrote.
McCauley said in a Jan. 17 data breach notice that ODIN received WIRED’s warning between Jan. 5 and 10, after which the company tried and failed to reproduce the issue described by the publication. Still, ODIN took servers offline. On Jan. 10, the WIRED reporter again contacted ODIN to say they’d been able to gain unauthorized access to confidential law enforcement apps via SweepWizard. Four days later, cyber attackers “claimed to have” breached ODIN’s systems and stolen data.
In the notice, McCauley says ODIN is reviewing “the potentially affected computer system,” working with law enforcement in response to the event, and has taken further security measures intended to prevent a repeat incident.
