A major supply chain breach appears to have led to the exposure of hundreds of thousands of sensitive US police records dating back over two decades.
WikiLeaks-like organization Distributed Denial of Secrets released the trove on Friday, claiming it contained 10 years of data from over 200 police departments, fusion centers and other training and support resources. Fusion centers are designed to promote info-sharing between state and local police departments.
“BlueLeaks provides unique insights into law enforcement and a wide array of government activities, including thousands of documents mentioning #COVID19,” the group tweeted.
The 269GB trove contains “police and FBI reports, bulletins, guides and more,” it said.
A National Fusion Center Association (NFCA) alert seen by journalist and researcher, Brian Krebs, apparently confirmed the breach but claimed the leaked data actually dates back 24 years, to August 1996.
It is said to contain names, email addresses, phone numbers, ACH routing numbers, international bank account numbers (IBANs), as well as personally identifiable information (PII) and images on suspects.
“Preliminary analysis of the data contained in this leak suggests that Netsential, a web services company used by multiple fusion centers, law enforcement, and other government agencies across the United States, was the source of the compromise,” the NFCA reportedly wrote.
“Netsential confirmed that this compromise was likely the result of a threat actor who leveraged a compromised Netsential customer user account and the web platform’s upload feature to introduce malicious content, allowing for the exfiltration of other Netsential customer data.”
There are fears that the data could endanger lives, if used by organized crime groups to unmask undercover police officers and witnesses, whilst potentially causing reputational harm to suspects who were subsequently released.
“It's no surprise that law enforcement was the target of this data breach. With the current civil and political climate, a wide range of threat actors, from activists to nation states, would be interested in revealing this sort of confidential information,” argued Gurucul CEO, Saryu Nayyar.
“Now is a good time to review and update security postures, policies and tools, especially where they involve third party vendors and SaaS applications that may not give an organization direct control of their sensitive data.”