Slashdot Mirror

← Back to Stories (view on slashdot.org)

A Massive Cache of Law Enforcement Personnel Data Has Leaked (zdnet.com)

Posted by msmash on from the privacy-woes dept.

Zack Whittaker, reporting for ZDNet: A data breach at a federally funded active shooter training center has exposed the personal data of thousands of US law enforcement officials, ZDNet has learned. The cache of data contained identifiable information on local and state police officers, and federal agents, who sought out or underwent active shooter response training in the past few years. The backend database powers the website of Advanced Law Enforcement Rapid Response Training -- known as ALERRT -- at Texas State University. The database dates back to April 2017 and was uploaded a year later to a web server, believed to be owned by the organization, with no password protection. ZDNet obtained a copy of the database, which was first found by a New Zealand-based data breach hunter, who goes by the pseudonym Flash Gordon.

15 of 68 comments (clear)

  1. No password protection! by QuietLagoon · · Score: 4, Informative

    ...uploaded a year later to a web server, believed to be owned by the organization, with no password protection....

    Whoever put into place this stunningly amazing illustration of absolute ignorance about security should never be allowed near a keyboard again.

    1. Re:No password protection! by dknj · · Score: 2

      I'm thinking about reality, and catchign this problem may be very difficult.

      What if this company (before it had strict IT controls in place) allowed employees to rent EC2 servers on their CC. Well DB/Windows/SysEngineerAdmin said let me spin up an EC2 server where I can dump my shit so I don't have to do stupid vpn tricks to move data around. He then lets others use said server, then forgets about it because what's $20/mo when you're making IT money? Someone stages a prod SQL dump with a random ass name like tmp-2o2-deadbeef.dat.

      Everyone ignores it.

      Later someone accidentally removes index.html when rm *.html in the wrong directory.

      "HEY DOES ANYONE NEED THAT?" *crickets* Now up to this point everyone thought this system engineer was just a weirdo but that's the usual M.O. for BOFH sysadmins. Life goes on as usual. Until one day an entrepreneurial hacker shodan's something completely unrelated and sees this garbage file.

      "Whoa, I wonder what that does."

      He downloads it but only part of it before he closes his laptop because his mom told him to go to sleep for the tenth time. Transfer aborted. Queue a ridiculous story of incompetent FBI agents, a system engineer hell bent on destroying the world, and several young teenagers who just want to hack the planet and make all the wrongs right in the world. There will be shenanigans as a new hacker friend joins their ranks but ends up being a hacker that pulled off the most epic hack 10 years earlier. Gawking at teen boobs and state of the art technology. Teaming up to create mass confusion and override security personal daily functions. All to recover the remainder of the database dump so they can share it with everyone to prove to the FBI and to the world that the system engineer is guilty and not the downloaders.

      I'm going to make a movie out of this and name it Hackers. It will be a cult classic eventually.. I hope..

      -dk

  2. Hey, they spy on us ... by Anonymous Coward · · Score: 5, Insightful

    The way law enforcement has decided they don't give a fuck about our privacy, I'm afraid I have little sympathy for this.

    If you're in charge of this kind of information, and you put it on a server with no protection, you probably have no business in that job.

    Do the police expect us to care about their privacy when they don't care about ours?

  3. Not A Problem by StormReaver · · Score: 5, Insightful

    I'm sure that Law Enforcement is perfectly fine with the breach. After all, since they have nothing to hide, they have nothing to fear.

    Right?

    1. Re:Not A Problem by gweihir · · Score: 2

      Indeed. Eat your own dog food or stop claiming it is delicious.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    2. Re:Not A Problem by CaptainDork · · Score: 4, Interesting

      To say that the data set was not "password-protected," is equivalent to, "unencrypted like we always wanted to do with your iPhone."

      --
      It little behooves the best of us to comment on the rest of us.
  4. I hate to say this, but... by Falconnan · · Score: 5, Insightful

    This is why we need strong encryption and authentication as a legal requirement for all personal information databases. Law enforcement may not like it, but if they require backdoors on encryption schemes and access, this will continue to make them as vulnerable as everyone else. They have proven the argument they oppose for us. I get the problems this causes, but the damage allowed by not using proper data protection is generally much worse. And now they may end up learning this the hard way, and that's a shame.

  5. Maybe now politicians will take privacy seriously by greenwow · · Score: 3, Funny

    Or not.

  6. Re:Great, lefties can now target law officers by Anonymous Coward · · Score: 2, Interesting

    These bootlickers are fine having all of our personal data so it's only karmic justice that we get the same. Teach these ham sandwiches a lesson they won't forget.

  7. damn these insights! by Jeremy+Erwin · · Score: 2

    That data alone would give anyone insight into the capabilities of police and law enforcement departments across the country.

    Might actually be useful for formulating public policy. And ultimately, who's in charge of formulating pubic policy?
    That's right.

    THE PUBLIC!

  8. Stay in NZ Flash! by Comboman · · Score: 2

    US law enforcement types love to blame the messenger rather than take responsibility for their mistakes.

    --
    Support Right To Repair Legislation.
  9. Re:Maybe now politicians will take privacy serious by Desler · · Score: 3, Informative

    That happened under Obama so the media basically swept it under the rug.

    It was reported on every major news outlet when it happened. So that's a strange notion of "sweeping under the rug" you've got there.

  10. Re:Maybe now politicians will take privacy serious by Desler · · Score: 2

    Just from searching the WaPo archives I found more than 4 or 5 dozen stories about the OPM breach going on for months after it was fully disclosed. So, again, you have some weird idea of what "sweep under the rug" means.

  11. Re:Already Leaked by bill_mcgonigle · · Score: 4, Interesting

    Remember, the OPM breach compromised every single federal worker

    The Chicoms got a copy of the OPM database but you can't get it on the dark web, like this one will be. That's a major difference.

    I know one of our fellow /.'ers who was seriously trying to get a copy of the OPM database. He turned up suddenly dead last year with a self-inflicted gunshot wound. Probably a coincidence, but he was insistent that I turn off my cell phone before talking about it. No joke - I gave him a copy of Tails as I do for everybody but I have no evidence of causality there.

    I only know a few of y'all in person, but you're the best kind of crazy friends.

    --
    My God, it's Full of Source!
    OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
  12. Re:Maybe now politicians will take privacy serious by AHuxley · · Score: 3, Interesting

    Re "How was if swept under the rug?"
    Read the report. Nothing was done. The US gov sat on the discovery about mil/gov data getting accessed for months.
    The movement of data in real time out of the USA was allowed.
    Nothing was done to protect the data. Nothing was done to secure and encrypt the data.
    The data set was left as bait to try and see what was going to be done.
    The data set was copied out of the USA. The US gov for some expected the data set to be searched and used in real time.
    That the access would be back to the US site, not the movement of all data out of the USA. The data set was left open, unencrypted to see how the access and searching would happen.
    Nothing was searched for and all the data got copied out as the US gov watched on. The only method discovered was that the data was copied.
    The tame US media reported the copy of the gov/mil data set as if a movie studio had a movie archive copied.

    --
    Domestic spying is now "Benign Information Gathering"