Hundreds of thousands of highly sensitive files belonging to more than 200 police departments, fusion centers, and other law enforcement training and support resources across the United States were leaked online last week, according to the security blog KrebsOnSecurity.
The data collection called “BlueLeaks” – nearly 269 gigabytes in total – were published by Distributed Denial of Secrets (DDoSecrets), a hacktivist group that describes itself as a “collective for transparency” and is often described as an alternative to WikiLeaks.
The group also credited the infamous hacker collective Anonymous with finding the data.
DDoSecrets in a post on Twitter said the BlueLeaks archive indexes “ten years of data from over 200 police departments, fusion centers, and other law enforcement training and support resources,” and that “among the hundreds of thousands of documents are police and FBI reports, bulletins, guides and more.”
RELEASE: #BlueLeaks (269 GB)
Ten years of data from over 200 police departments, fusion centers and other law enforcement training and support resources. Among the hundreds of thousands of documents are police and FBI reports, bulletins, guides and more.https://t.co/sWzdKc2VFc
— Distributed Denial of Secrets (@DDoSecrets) June 19, 2020
According to KrebsOnSecurity, the files are available on a searchable web portal and is legitimate. The data stems from a security breach at Houston-based web hosting company ‘Netsential Inc,’ which maintains several state law enforcement data-sharing portals and where the webserver for National Fusion Center Association (NFCA) is hosted.
The BlueLeaks data contains over millions of files including names, email addresses, phone numbers, images, PDF documents, videos, web pages, text files, audio files, and more.
In a statement, NFCA confirmed the data’s validity, saying that the “dates of the files in the leak actually span nearly 24 years — from August 1996 through June 19, 2020 — and that the documents include names, email addresses, phone numbers, PDF documents, images, and a large number of text, video, CSV and ZIP files.”
“Additionally, the data dump contains emails and associated attachments. Our initial analysis revealed that some of these files contain highly sensitive information such as ACH routing numbers, international bank account numbers (IBANs), and other financial data as well as personally identifiable information (PII) and images of suspects listed in Requests for Information (RFIs) and other law enforcement and government agency reports,” the NFCA alert reads.
“Preliminary analysis of the data contained in this leak suggests that Netsential, a web services company used by multiple fusion centers, law enforcement, and other government agencies across the United States, was the source of the compromise. Netsential confirmed that this compromise was likely the result of a threat actor who leveraged a compromised Netsential customer user account and the web platform’s upload feature to introduce malicious content, allowing for the exfiltration of other Netsential customer data.”
The files, which can be downloaded, also contained intelligence on the recent countrywide Black Lives Matter protests in the U.S. over the death of George Floyd, a man who was killed while in the custody of Minneapolis police.
Netsential didn’t immediately respond to a request for comment.
Emma Best, a journalist, and activist who previously has published revelations about Anonymous, told Motherboard in an online chat, “It’s the largest leak of US law enforcement data, and because of its nature it lets people look at policing on the local, state and national levels. It shows how law enforcement has reacted to the protests, it shows government handling of COVID, and it shows a lot of things that are entirely legal and normal and horrifying.”
The BlueLeaks data set was released June 19, also known as “Juneteenth,” the oldest nationwide commemorative event to end slavery in the United States.