Comment: Potentially Sensitive Data From Over 200 US Police Departments Exposed Online By ‘BlueLeak’s

Hundreds of thousands of potentially sensitive files from police departments across the United States were leaked online last week. The collection, dubbed “BlueLeaks” and made searchable online, stems from a security breach at a Texas web design and hosting company that maintains a number of state law enforcement data-sharing portals.

The collection — nearly 270 gigabytes in total — is the latest release from Distributed Denial of Secrets (DDoSecrets), an alternative to Wikileaks that publishes caches of previously secret data.

Experts Comments

June 23, 2020
Timothy Chiu
Vice President of Marketing
K2 Cyber Security
The ‘BlueLeaks’ event is another good reminder that organizations aren’t silos in data security. Every organization’s security depends on the security of all their partners as well as their own. Your partners need to be practicing as good security hygiene (if not better) than you are in order to protect your shared applications and assets.
June 23, 2020
Saryu Nayyar
CEO
Gurucul
It's no surprise that Law Enforcement was the target of this data breach. With the current civil and political climate, a wide range of threat actors, from activists to nation-states, would be interested in revealing this sort of confidential information. Going forward, especially with the current election cycle, we can expect to see more events like this. Now is a good time to review and update security postures, policies, and tools, especially where they involve 3rd party vendors and SaaS.....Read More
It's no surprise that Law Enforcement was the target of this data breach. With the current civil and political climate, a wide range of threat actors, from activists to nation-states, would be interested in revealing this sort of confidential information. Going forward, especially with the current election cycle, we can expect to see more events like this. Now is a good time to review and update security postures, policies, and tools, especially where they involve 3rd party vendors and SaaS applications that may not give an organization direct control of their sensitive data.  Read Less
June 23, 2020
Sam Curry
Chief Security Officer
Cybereason
At the moment, we know that a lot of information has been leaked but not how it was leaked or the potential impact of the data. My advice to Netsential is first to do the right thing, and this doesn’t mean anything unusual. They will know what it is, but remember that your customers, partners and history will see it all and will determine whether you are a hero or a villain. There’s no in-between, and unlike in human-to-human interactions, you don’t get to play the victim in this drama......Read More
At the moment, we know that a lot of information has been leaked but not how it was leaked or the potential impact of the data. My advice to Netsential is first to do the right thing, and this doesn’t mean anything unusual. They will know what it is, but remember that your customers, partners and history will see it all and will determine whether you are a hero or a villain. There’s no in-between, and unlike in human-to-human interactions, you don’t get to play the victim in this drama. There are already victims: your customers which in this case is hundreds of police departments. It’s highly likely that this is going to get political too between it being a presidential year and the scrutiny on police departments and law enforcement agencies, which means everyone should be prepared for more scrutiny but also for social media backlash based on what data leaks and eventually lawsuits and subpoenas. For both Netsential and any law enforcement agencies that come under scrutiny, make sure that you are making the right decisions, for the right reasons, and get help with the crisis part. There are law firms and technology companies that specialize in this and there’s a community that will respond well to a hero and very poorly to a villain.  Read Less
June 23, 2020
Niamh Muldoon
Senior Director of Trust and Security, EMEA
OneLogin
The kind of information held my Police departments is likely to be extremely sensitive – As well as the usual PII organisations would hold, Police forces will also hold records of criminal convictions or arrests, which are tailor made for cybercriminals to use for social engineering or blackmail purposes. If public-facing organisations want to stay in trusted then they must prioritise security and protecting their data and if they cannot attract and retain cybersecurity professionals, then.....Read More
The kind of information held my Police departments is likely to be extremely sensitive – As well as the usual PII organisations would hold, Police forces will also hold records of criminal convictions or arrests, which are tailor made for cybercriminals to use for social engineering or blackmail purposes. If public-facing organisations want to stay in trusted then they must prioritise security and protecting their data and if they cannot attract and retain cybersecurity professionals, then they must partner with trusted partners who can support them in delivering trusted security platforms and expertise services, allowing the police to focus on policing instead of dealing with incidents such as this. The Police forces should make the individuals involved aware so they can take extra precautions and remain vigilant to any inbound attempts to further compromise them based on this leak.  Read Less
June 23, 2020
Tim Mackey
Principal Security Strategist, Synopsys CyRC (Cybersecurity Research Center)
Synopsys
Ignoring the obvious political aspects of the BlueLeaks data collection, it’s worth asking why the underlying data wasn’t properly protected from accidental viewing. If, as reported, the dataset contains sensitive information including identifiable banking information, suspect images, PDF files, personal information and videos among other items, it would appear that either decryption keys were part of the breach or unencrypted information was stored with an assumption that law enforcement.....Read More
Ignoring the obvious political aspects of the BlueLeaks data collection, it’s worth asking why the underlying data wasn’t properly protected from accidental viewing. If, as reported, the dataset contains sensitive information including identifiable banking information, suspect images, PDF files, personal information and videos among other items, it would appear that either decryption keys were part of the breach or unencrypted information was stored with an assumption that law enforcement servers were resilient to resourceful attackers. While modern encryption standards might not be applied to historical records, secured file access and auditing are independent of available encryption within a given document format and can be used to bolster legacy encryption processes. Unfortunately, as concerning as this data breach might be, the bigger question is whether the original data was tampered with. If the underlying filesystem was implicitly trusted, then it’s possible the credentials used in the attack may have granted “write” access to files. Identifying any potential pollution of law enforcement records will naturally be a high priority, but also a time consuming one.  Read Less
June 23, 2020
Colin Bastable
CEO
Lucy Security
At the heart of cyber-risk is convenience – making it easy to upload files and build a website has also enabled the hackers to score a spectacular win against US law enforcement. The Netsential website is barebones right now, but checking out the Wayback Machine for the Netsential website shows a consistent typo: “Netsential builds sites with as much or as customer involvement that is desired.” For me that would be a red flag – a sign that I should take a closer look at the company,.....Read More
At the heart of cyber-risk is convenience – making it easy to upload files and build a website has also enabled the hackers to score a spectacular win against US law enforcement. The Netsential website is barebones right now, but checking out the Wayback Machine for the Netsential website shows a consistent typo: “Netsential builds sites with as much or as customer involvement that is desired.” For me that would be a red flag – a sign that I should take a closer look at the company, especially since Netsential advertise the fact that the FBI and DoJ are customers. My point being that Fusion Centers were set up as a Homeland Security initiative post-9/11 in order to facilitate information sharing at all levels of law enforcement – an obvious target for China, Russia, Iran or organized crime. You would expect the FBI to have identified this potential point of entry and remedied it. The Feds have been living off their reputation and believing their own propaganda for far too long now. My heart goes out to those many people whose information is compromised.  Read Less
June 22, 2020
Ilia Kolochenko
Founder and CEO
ImmuniWeb
The eventual outcome of this leak will likely have disastrous effects for many innocent people. First, it will likely inflict irreparable reputational, financial and even physical harm to suspects and people charged with crimes who later were acquitted in a court of law. Furthermore, it will jeopardize legally protected people, like witnesses, who helped investigators convict dangerous criminals. The disclosure will now literally cause the death of the witnesses if their identity is revealed.....Read More
The eventual outcome of this leak will likely have disastrous effects for many innocent people. First, it will likely inflict irreparable reputational, financial and even physical harm to suspects and people charged with crimes who later were acquitted in a court of law. Furthermore, it will jeopardize legally protected people, like witnesses, who helped investigators convict dangerous criminals. The disclosure will now literally cause the death of the witnesses if their identity is revealed to the criminals or their bloodthirsty accomplices. Finally, it will substantially hinder the performance of daily law enforcement operations across the entire country, bolstering street crimes and violent crime, exposing thousands of helpless people to the risk of serious bodily injuries and death. The underlying motives of the publication are obscure for the time-being, however, one thing is crystal-clear and undisputable is that the perpetrators will be morally and [probably] legally accountable for countless ruined lives of innocent people having any relation to the [now criticized] police. Given the surrounding technical circumstances of the leak, it may be reasonable to suppose that the perpetrators have left numerous traces and digital footprints while exfiltrating the data and publishing it online. I think a rapid investigation by Federal and state law enforcement agencies will rapidly shed light on the identities of the wrongdoers. I won’t be surprised if later they will be charged with conspiracy, aiding and abetting murders and other felonies punishable by a life sentence. It may be an exemplary case aimed to demonstrate zero tolerance of the society to cybercrimes aimed to take away innocent lives of people of all ages, social groups and races. From a technical standpoint, it is a painful reminder that third-party security is essential to protect your organization from cyber threats in 2020. You cannot just implement and ensure security in-house but also need to keep an eye on all your trusted parties that have any access to your data or systems.  Read Less
June 22, 2020
Javvad Malik
Security Awareness Advocate
KnowBe4
This is a huge breach both in terms of size, the nature of data, and the length of time it spans. While details are not clear as to how the breach occurred, it does look like it stems from a third party, which serves as a reminder for organisations of all sizes that ensuring security across the complete supply chain is vital. Not only is up front due diligence necessary, but so is ongoing assurance. Smaller organisations which provide services, should also be aware that they are legitimate.....Read More
This is a huge breach both in terms of size, the nature of data, and the length of time it spans. While details are not clear as to how the breach occurred, it does look like it stems from a third party, which serves as a reminder for organisations of all sizes that ensuring security across the complete supply chain is vital. Not only is up front due diligence necessary, but so is ongoing assurance. Smaller organisations which provide services, should also be aware that they are legitimate targets and should not consider themselves to be 'too small to attack'.  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.