Detailed tactical plans for imminent police raids, confidential police reviews with descriptions of alleged crimes and suspects, and a forensic extraction report detailing the contents of a suspect’s cellphone. These are a number of the recordsdata in an enormous cache of knowledge taken from the interior servers of ODIN Intelligence, a tech firm that gives apps and providers to police departments, following a hack and defacement of its web site over the weekend.
The group behind the breach stated in message left on ODIN’s web site that it hacked the corporate after its founder and chief government Erik McCauley dismissed a report by Wired, which found the corporate’s flagship app SweepWizard, utilized by police to coordinate and plan multi-agency raids, was insecure and spilling delicate knowledge about upcoming police operations to the open internet.
The hackers additionally printed the corporate’s Amazon Web Services non-public keys for accessing its cloud-stored knowledge and claimed to have “shredded” the corporate’s knowledge and backups however not earlier than exfiltrating gigabytes of knowledge from ODIN’s techniques.
ODIN develops and gives apps, like SweepWizard, to police departments throughout the United States. The firm additionally builds applied sciences that enable authorities to remotely monitor convicted intercourse offenders. But ODIN additionally drew criticism final yr for providing authorities a facial recognition system for figuring out homeless folks and utilizing degrading language in its advertising.
ODIN’s McCauley didn’t reply to a number of emails requesting remark previous to publication however confirmed the hack in an information breach disclosure filed with the California legal professional normal’s workplace.
The breach not solely exposes huge quantities of ODIN’s personal inside knowledge but additionally gigabytes of confidential regulation enforcement knowledge uploaded by ODIN’s police division prospects. The breach raises questions on ODIN’s cybersecurity but additionally the safety and privateness of the hundreds of individuals — together with victims of crime and suspects not charged with any offense — whose private data was uncovered.
The cache of hacked ODIN knowledge was offered to DDoSecrets, a nonprofit transparency collective that indexes leaked datasets within the public curiosity, corresponding to caches from police departments, authorities businesses, regulation corporations and militia teams. DDoSecrets co-founder Emma Best instructed TechCrunch that the collective has restricted the distribution of the cache to journalists and researchers given the huge quantity of personally identifiable knowledge within the ODIN cache.
Little is thought concerning the hack or the intruders answerable for the breach. Best instructed TechCrunch that the supply of the breach is a gaggle referred to as “All Cyber-Cops Are Bastards,” a phrase it referenced within the defacement message.
TechCrunch reviewed the info, which not solely consists of the corporate’s supply code and inside database but additionally hundreds of police recordsdata. None of the info seems encrypted.
A police doc, redacted by TechCrunch, with full particulars of an upcoming raid uncovered by the breach. Image Credit: TechCrunch (screenshot)
The knowledge included dozens of folders with full tactical plans of upcoming raids, alongside suspect mugshots, their fingerprints and biometric descriptions and different private data, together with intelligence on people who could be current on the time of the raid, like kids, cohabitants and roommates, a few of whom described as having “no crim[inal] history.” Many of the paperwork had been labeled as “confidential law enforcement only” and “controlled document” not for disclosure exterior of the police division.
Some of the recordsdata had been labeled as check paperwork and used faux officer names like “Superman” and “Captain America.” But ODIN additionally used actual world identities, like Hollywood actors, who’re unlikely to have consented to their names getting used. One doc titled “Fresno House Search” bore no markings to counsel the doc was a check of ODIN’s front-facing techniques however said the raid’s goal was to “find a house to live in.”
The leaked cache of ODIN knowledge additionally contained its system for monitoring intercourse offenders, which permits police and parole officers to register, supervise and monitor convicted criminals. The cache contained greater than a thousand paperwork regarding convicted intercourse offenders who’re required to register with the state of California, together with their names, house addresses (if not incarcerated) and different private data.
The knowledge additionally accommodates a considerable amount of private details about people, together with the surveillance methods that police use to determine or observe them. TechCrunch discovered a number of screenshots exhibiting folks’s faces matched in opposition to a facial recognition engine referred to as AFR Engine, an organization that gives face-matching expertise to police departments. One photograph seems to indicate an officer forcibly holding an individual’s head in entrance of one other officer’s cellphone digital camera.
Other recordsdata present police utilizing automated license plate readers, often called ANPR, which may determine the place a suspect drove in current days. Another doc contained the total contents — together with textual content messages and photographs — of a convicted offender’s cellphone, whose contents had been extracted by a forensic extraction device throughout a compliance verify whereas the offender was on probation. One folder contained audio recordings of police interactions, some the place officers are heard utilizing drive.
TechCrunch contacted a number of U.S. police departments whose recordsdata had been discovered within the stolen knowledge. None responded to our requests for remark.
ODIN’s web site, which went offline a short while after it was defaced, stays inaccessible as of Thursday.
If you already know extra concerning the ODIN Intelligence breach, get in contact with the safety desk on Signal and WhatsApp at +1 646-755-8849 or zack.whittaker@techcrunch.com by e mail.