Hundreds of thousands of potentially sensitive files from police departments across the United States were leaked online last week. The collection, dubbed “BlueLeaks” and made searchable online, stems from a security breach at a Texas web design and hosting company that maintains a number of state law enforcement data-sharing portals.
The collection — nearly 270 gigabytes in total — is the latest release from Distributed Denial of Secrets (DDoSecrets), an alternative to Wikileaks that publishes caches of previously secret data.
It\’s no surprise that Law Enforcement was the target of this data breach. With the current civil and political climate, a wide range of threat actors, from activists to nation-states, would be interested in revealing this sort of confidential information. Going forward, especially with the current election cycle, we can expect to see more events like this.
Now is a good time to review and update security postures, policies, and tools, especially where they involve 3rd party vendors and SaaS applications that may not give an organization direct control of their sensitive data.
At the moment, we know that a lot of information has been leaked but not how it was leaked or the potential impact of the data. My advice to Netsential is first to do the right thing, and this doesn’t mean anything unusual. They will know what it is, but remember that your customers, partners and history will see it all and will determine whether you are a hero or a villain. There’s no in-between, and unlike in human-to-human interactions, you don’t get to play the victim in this drama. There are already victims: your customers which in this case is hundreds of police departments.
It’s highly likely that this is going to get political too between it being a presidential year and the scrutiny on police departments and law enforcement agencies, which means everyone should be prepared for more scrutiny but also for social media backlash based on what data leaks and eventually lawsuits and subpoenas. For both Netsential and any law enforcement agencies that come under scrutiny, make sure that you are making the right decisions, for the right reasons, and get help with the crisis part. There are law firms and technology companies that specialize in this and there’s a community that will respond well to a hero and very poorly to a villain.
The kind of information held my Police departments is likely to be extremely sensitive – As well as the usual PII organisations would hold, Police forces will also hold records of criminal convictions or arrests, which are tailor made for cybercriminals to use for social engineering or blackmail purposes. If public-facing organisations want to stay in trusted then they must prioritise security and protecting their data and if they cannot attract and retain cybersecurity professionals, then they must partner with trusted partners who can support them in delivering trusted security platforms and expertise services, allowing the police to focus on policing instead of dealing with incidents such as this. The Police forces should make the individuals involved aware so they can take extra precautions and remain vigilant to any inbound attempts to further compromise them based on this leak.
The ‘BlueLeaks’ event is another good reminder that organizations aren’t silos in data security.
Every organization’s security depends on the security of all their partners as well as their own. Your partners need to be practicing as good security hygiene (if not better) than you are in order to protect your shared applications and assets.
Ignoring the obvious political aspects of the BlueLeaks data collection, it’s worth asking why the underlying data wasn’t properly protected from accidental viewing. If, as reported, the dataset contains sensitive information including identifiable banking information, suspect images, PDF files, personal information and videos among other items, it would appear that either decryption keys were part of the breach or unencrypted information was stored with an assumption that law enforcement servers were resilient to resourceful attackers. While modern encryption standards might not be applied to historical records, secured file access and auditing are independent of available encryption within a given document format and can be used to bolster legacy encryption processes.
Unfortunately, as concerning as this data breach might be, the bigger question is whether the original data was tampered with. If the underlying filesystem was implicitly trusted, then it’s possible the credentials used in the attack may have granted “write” access to files. Identifying any potential pollution of law enforcement records will naturally be a high priority, but also a time consuming one.