How the BlueLeaks data breach happened

David Strom 30 Jun 2020

The massive breach of law enforcement data called BlueLeaks could have been prevented with the right security tools.

Earlier this month, a group of hackers published a massive dataset stolen from various local law enforcement agencies. The data has been labeled BlueLeaks and contains more than 269 GB of thousands of police reports that go back at least two decades from hundreds of agencies from around the US. The reports list private data including names, email addresses, phone numbers and bank accounts. The source is a group called Distributed Denial of Secrets or DDoSecrets, which like Wikileaks has been publishing various leaked datasets for many years. The data can be easily searched as shown in the screenshot below. (After the group tweeted a link to the data, Twitter suspended their account.)

The leak came about through a compromised account at the managed hosting provider Netsential.com based in Houston. The provider’s website has been changed to show very minimal information after the breach, but earlier versions found on Archive.org state the claim that they build sites that are easy to use: “If you can cut and paste - you can maintain and update your website with Netsential's browser-based software.” That doesn’t bode well for their security protocols however.

This provider has a number of police and public safety clients, including the U.S. Departments of Justice and Homeland Security, along with many local law enforcement agencies and what are called Fusion Centers. These are typically state-funded operations which were set up post-9/11 to facilitate information sharing among various public safety agencies about threats to public safety. For example, here is a link to the California fusion center. On their website, they state that they help with “detection, prevention, investigation and response to criminal and terrorist activity, disseminates intelligence and facilitates communications” among various local and state agencies.

The national trade association for these fusion centers confirmed that the BlueLeaks data was a legitimate leak, according to correspondence obtained by security researcher Brian Krebs. The association issued an email alert to its members after the leak. One of Krebs’ sources says, “this data is unlikely to shed much light on police misconduct but could expose sensitive law enforcement investigations and even endanger lives.” ZDnet published copies of various tweets showing samples of data shared about the recent Black Lives Matter protests that were generated in the past several weeks.

The fusion centers are tempting for hackers because they consolidate so much data in a single place. Colin Bastable, the CEO of Lucy Security, said that “they are an obvious target for China, Russia, Iran or organized crime. You would have expected the FBI to have identified this potential point of entry and remedied it” by now.

DDoSecrets has been around for many years and has cataloged dozens of data leaks on their website, including other government sources from around the world. The group lists various hackers who are interested in promoting transparency on their site, along with ways to contact them with new leaks. They claim they vet each leak to determine if it is legit before posting it online. 

What BlueLeaks shows is that third-party IT providers need to be properly vetted for their internal security methods. While having an easy-to-update website is great, it needs to be secure and all accounts should use multi-factor authentication and other tools to ensure that only authorized users have access. It demonstrates the need for data leak protection products that can signal when significant download volumes or downloads of sensitive information have happened.

Update August 20, 2020: a South Dakota news bureau tied this breach to the exposure of its region’s COVID-19 patients’ data:  Massive data breach affects SD COVID-19 patients.

Related articles

--> -->