A hack at ODIN Intelligence exposes an enormous trove of police raid recordsdata

Detailed tactical plans for imminent police raids, confidential police reviews with descriptions of alleged crimes and suspects, and a forensic extraction report detailing the contents of a suspect’s cellphone. These are a few of the recordsdata in an enormous cache of information taken from the interior servers of ODIN Intelligence, a tech firm that gives apps and providers to police departments, following a hack and defacement of its website over the weekend.

The group behind the breach mentioned in message left on ODIN’s web site that it hacked the corporate after its founder and chief government Erik McCauley dismissed a report by Wired, which found the corporate’s flagship app SweepWizard, utilized by police to coordinate and plan multi-agency raids, was insecure and spilling delicate information about upcoming police operations to the open net.

The hackers additionally printed the corporate’s Amazon Net Companies personal keys for accessing its cloud-stored information and claimed to have “shredded” the corporate’s information and backups however not earlier than exfiltrating gigabytes of information from ODIN’s methods.

ODIN develops and supplies apps, like SweepWizard, to police departments throughout the USA. The corporate additionally builds applied sciences that enable authorities to remotely monitor convicted intercourse offenders. However ODIN additionally drew criticism final 12 months for providing authorities a facial recognition system for identifying homeless people and utilizing degrading language in its advertising and marketing.

ODIN’s McCauley didn’t reply to a number of emails requesting remark previous to publication however confirmed the hack in a data breach disclosure filed with the California legal professional common’s workplace.

The breach not solely exposes huge quantities of ODIN’s personal inside information but in addition gigabytes of confidential legislation enforcement information uploaded by ODIN’s police division clients. The breach raises questions on ODIN’s cybersecurity but in addition the safety and privateness of the 1000’s of individuals — together with victims of crime and suspects not charged with any offense — whose private info was uncovered.

The cache of hacked ODIN information was supplied to DDoSecrets, a nonprofit transparency collective that indexes leaked datasets within the public curiosity, corresponding to caches from police departments, authorities businesses, legislation companies and militia teams. DDoSecrets co-founder Emma Greatest informed TechCrunch that the collective has restricted the distribution of the cache to journalists and researchers given the huge quantity of personally identifiable information within the ODIN cache.

Little is thought concerning the hack or the intruders chargeable for the breach. Greatest informed TechCrunch that the supply of the breach is a bunch referred to as “All Cyber-Cops Are Bastards,” a phrase it referenced within the defacement message.

TechCrunch reviewed the info, which not solely contains the corporate’s supply code and inside database but in addition 1000’s of police recordsdata. Not one of the information seems encrypted.

A police doc, redacted by TechCrunch, with full particulars of an upcoming raid uncovered by the breach. Picture Credit score: TechCrunch (screenshot)

The information included dozens of folders with full tactical plans of upcoming raids, alongside suspect mugshots, their fingerprints and biometric descriptions and different private info, together with intelligence on people who could be current on the time of the raid, like kids, cohabitants and roommates, a few of whom described as having “no crim[inal] historical past.” Most of the paperwork have been labeled as “confidential legislation enforcement solely” and “managed doc” not for disclosure outdoors of the police division.

A number of the recordsdata have been labeled as take a look at paperwork and used faux officer names like “Superman” and “Captain America.” However ODIN additionally used actual world identities, like Hollywood actors, who’re unlikely to have consented to their names getting used. One doc titled “Fresno Home Search” bore no markings to recommend the doc was a take a look at of ODIN’s front-facing methods however acknowledged the raid’s goal was to “discover a home to stay in.”

The leaked cache of ODIN information additionally contained its system for monitoring intercourse offenders, which permits police and parole officers to register, supervise and monitor convicted criminals. The cache contained greater than a thousand paperwork regarding convicted intercourse offenders who’re required to register with the state of California, together with their names, house addresses (if not incarcerated) and different private info.

The information additionally incorporates a considerable amount of private details about people, together with the surveillance strategies that police use to determine or monitor them. TechCrunch discovered a number of screenshots exhibiting individuals’s faces matched in opposition to a facial recognition engine referred to as AFR Engine, an organization that gives face-matching expertise to police departments. One picture seems to point out an officer forcibly holding an individual’s head in entrance of one other officer’s cellphone digicam.

Different recordsdata present police utilizing automatic license plate readers, often called ANPR, which may determine the place a suspect drove in latest days. One other doc contained the complete contents — together with textual content messages and images — of a convicted offender’s cellphone, whose contents have been extracted by a forensic extraction software throughout a compliance examine whereas the offender was on probation. One folder contained audio recordings of police interactions, some the place officers are heard utilizing drive.

TechCrunch contacted a number of U.S. police departments whose recordsdata have been discovered within the stolen information. None responded to our requests for remark.

ODIN’s web site, which went offline a short while after it was defaced, stays inaccessible as of Thursday.

If extra concerning the ODIN Intelligence breach, get in contact with the safety desk on Sign and WhatsApp at +1 646-755-8849 or [email protected] by e mail.