Detailed tactical plan for impending police raids, secret police reports with descriptions of the crime and alleged suspects, and forensic extract reports detailing the contents of your phone. suspect. These are some of the files in a huge data cache pulled from the internal servers of ODIN Intelligence, a technology company that provides applications and services to police departments, following a hack and deface its website last weekend.
The group behind the breach said in a message left on ODIN’s website that it attacked the company after founder and chief executive Erik McCauley was fired. a report by Wiredfound that the company’s flagship application, SweepWizard, used by police to coordinate and plan multi-agency raids, was unsafe and leaked sensitive data about operations. upcoming police action on the open web.
The hackers also released the company’s Amazon Web Services private keys to access data stored in the company’s cloud and claimed to have “shredded” the company’s data and backups but did not right before stealing gigabytes of data from ODIN’s systems.
ODIN develops and delivers applications, such as SweepWizard, to police departments across the United States. The company also builds technologies that allow authorities to remotely monitor convicted sex offenders. But ODIN was also criticized last year for providing the authorities with a facial recognition system to identify the homeless and uses condescending language in its marketing.
ODIN’s McCauley did not respond to several emails requesting comment before publication but confirmed the hack in data breach disclosure filed with the California attorney general’s office.
The breach exposed not only massive amounts of ODIN’s own internal data, but also gigabytes of confidential law enforcement data uploaded by customers of the ODIN police department. The breach raises questions about ODIN’s cybersecurity but also about the security and privacy of thousands of people — including victims of crime and suspects not charged with any crime — whose Personal information is exposed.
The cache of hacked ODIN data has been made available to DDoSSecrets, a nonprofit transparent collective that indexes leaked datasets in the public interest, such as caches from police departments, government agencies, law firms, and militia groups. DDoSecrets co-founder Emma Best tells TechCrunch that the collective has limited distribution buffer for journalists and researchers has provided large amounts of personally identifiable data in the ODIN cache.
Little is known about the hack or the intruders responsible for the breach. Best told TechCrunch that the source of the breach was a group called “All Cyber Cops Are Bastards,” a phrase the group referred to in the removal notice.
TechCrunch reviewed the data, which includes not only the company’s source code and internal databases, but also thousands of police files. No data appears encrypted.
A police document, edited by TechCrunch, with full details of an upcoming raid due to disclosure breach. Image credits: TechCrunch (screenshot)
The data includes dozens of folders full of tactical plans for upcoming raids, along with photographs of suspects, their fingerprints and biometric descriptions and other personal information. , including intelligence about individuals who may be present at the time of the raid, such as children, roommates, and roommates. some people are described as “not guilty”[inal] history.” Many of the documents are labeled as “secret law enforcement only” and “controlled material” that is not released outside the police department.
Some of the files were labeled as inspection documents and used fake officer names such as “Superman” and “Captain America”. But ODIN also uses real-world identities, such as Hollywood actors, who seem to disagree with the use of their names. A document titled “Finding a Fresno Home” gave no indication that the document was a test of ODIN’s face-to-face systems but said the goal of the raid was to “find a home.” to stay”.
The leaked ODIN data cache also contains a sex offender tracking system, allowing police and parole officers to register, monitor and track convicted criminals. The cache contains more than a thousand documents relating to convicted sex offenders who must be registered with the state of California, including their names, home addresses (if not in custody) and other personal information .
The data also contains large amounts of personal information about individuals, including surveillance techniques that police use to identify or track them. TechCrunch found several screenshots showing people’s faces matching a facial recognition engine called AFR Engine, a company that provides face-matching technology to police departments. One photo shows an officer forcefully holding a person’s head in front of another officer’s phone camera.
Other files show police use of automatic license plate reader, called ANPR, can determine where the suspect has been driving in recent days. Another document contains all the content — including text messages and photos — about a convicted prisoner’s phone, the contents of which were extracted by a forensic extraction tool during the process. compliance testing while the prisoner is on probation. A directory containing recordings of police interactions, some where police use of force is heard.
TechCrunch has contacted several US police departments whose files were found in the stolen data. No one responded to our request for comment.
ODIN’s website, which was down for a short while after the interface change, remained inaccessible as of Thursday.
If you know more about the ODIN Intelligence breach, contact security on Signal and WhatsApp at +1 646-755-8849 or zack.whittaker@techcrunch.com by email.
