Confidential Police Reports Stolen by Hackers After ODIN Intelligence Attack

ODIN Intelligence, a tech company that provides services and apps for police departments, suffered a hack and defacement of its website. The hackers behind the attack got away with a large data cache, including files such as:

  • Confidential police reports with descriptions of alleged crimes and suspects
  • A forensic extraction report detailing the contents of a suspect’s phone, and
  • Detailed tactical plans for imminent police raids

ODIN develops apps for police departments across the United States, and its flagship app used to plan and coordinate multi-agency operations is called SweepWizard.

This breach has raised questions about the company’s cybersecurity

Wired published a report earlier this month, claiming the app is vulnerable and that it’s actively leaking sensitive data about upcoming police operations to the web.

The hackers responsible for the data breach left a message on the website of ODIN Intelligence, saying that they hacked the company after its founder and chief executive Erik McCauley dismissed the report from Wired.

After defacing its website, the hackers published the company’s Amazon Web Services private keys that grant access to its cloud-stored data.

The group also claimed to have “shredded” the company’s backups and internal data but not before extracting gigabytes of data from its systems.

ODIN Intelligence faced criticism last year after it offered a facial recognition system for identifying homeless people to the authorities, using derogatory language in its promotion. The company also builds technologies that allow for remote monitoring of sex offenders by the authorities.

The breach, exposing more than just ODIN’s internal data, raises questions about the company’s cybersecurity and the privacy and security of thousands of people, including suspects not charged with any offense and victims of crimes.

Besides a large amount of ODIN’s internal data, gigabytes of confidential law enforcement data uploaded by ODIN’s police department customers were also exposed.

DDoSecrets, a nonprofit organization that shares leaked datasets for the public interest, received a cache of hacked ODIN data but limited its distribution to the public to journalists and researchers because of the vast amount of personally identifiable data it contains.

Although there’s little information about the group behind the attack, DDoSecrets co-founder Emma Best told TechCrunch that it refers to itself as “All Cyber-Cops Are Bastards,” a phrase left on ODIN’s website by the intruders.

What Was in the Hack?

TechCrunch said it reviewed the data, which includes thousands of police files besides the company’s internal database and source code, and that none of the data seems encrypted.

Many documents found in the cache, labeled as “confidential law enforcement only” and “controlled document,” were never supposed to be disclosed outside the police department. The data contained information about:

  • Upcoming police raids
  • Suspect mugshots and biometric descriptions
  • Fingerprints and other personal information

It also included intelligence on individuals who might be present at the time of the raid, like roommates, cohabitants, and children, some of whom were described as having “no crim[inal] history.”

While some files, marked as test files, used fake officer names like “Captain America” and “Superman,” ODIN also used real-world identities, like Hollywood actors, most likely without their consent.

The leaked data cache also included ODIN’s system for remote monitoring of sex offenders, which allows police and parole officers to register, monitor, and supervise convicted criminals.

The data includes over a thousand documents relating to convicted sex offenders who are required to register with the state of California, including their personal information.

Other files contain a large amount of information about individuals and the surveillance techniques the police used to track or identify them, and information on the utilization of AFR Engine face-matching technology provided to police departments by the company.

TechCrunch found several screenshots showing people’s faces matched against the facial recognition system, with one photo seemingly showing,

An officer forcibly holding a person’s head in front of another officer’s phone camera.

None of the police departments whose files were found in the stolen data responded to TechCrunch’s requests for comment. As of Thursday, ODIN’s website remains inaccessible after going offline following its defacement.

Read More Software News:

North Korean Hackers Abuse Internet Explorer’s Zero-Day Vulnerability

Microsoft-Approved Drivers Used to Hack Targets in Ransomware Attacks

T-Mobile Suffers Massive Breach as Hackers Steal Data from 37 Million Customers