detailed tactical plan An imminent police raid, a confidential police report containing a description of the alleged crime and the suspect, and a forensic extraction report detailing the content of the suspect’s phone calls. These are some of the files in a huge cache of data pulled from the internal servers of ODIN Intelligence, a technology company that provides apps and services to police after its website was hacked and defaced over the weekend.
In a message left on ODIN’s website, the group behind the breach said founder and CEO Eric McCauley hacked the company. Wired said he discovered SweepWizard, the company’s flagship app, used by police to coordinate and plan raids by multiple agencies. was insecure and exfiltrated sensitive data about upcoming policing operations to the public web.
The hackers also released the company’s Amazon Web Services private key to access data stored in the cloud, and “shredded” the company’s data and backups before exfiltrating gigabytes of data from ODIN’s systems. ‘ claimed to have done so.
ODIN develops apps such as SweepWizard and provides them to police departments across the United States. The company is also building technology that allows authorities to remotely monitor convicted sex offenders. But ODIN drew criticism last year for providing authorities with a facial recognition system to identify homeless people and using degrading language in its marketing.
ODIN’s McCauley did not respond to several emails seeking comment prior to publication, but confirmed the hack in a data breach disclosure filed with the California Attorney General’s Office.
The breach exposed not only ODIN’s own vast amount of internal data, but also several gigabytes of sensitive law enforcement data uploaded by ODIN’s police department customers. This breach calls into question not only the cybersecurity of ODIN, but also the security and privacy of the thousands of people whose personal information has been exposed, including victims of crimes and unindicted suspects.
A cache of hacked ODIN data was provided to DDoSecrets, a non-profit transparency collective that indexes leaked data sets for the public good, including caches from police departments, government agencies, law firms, and militia groups. I was. Emma Best, co-founder of DDoSecrets, told TechCrunch that the collective limits distribution of the cache to journalists and researchers because of the amount of personally identifiable data in the ODIN cache. .
Little is known about the intruders responsible for the hacks and breaches. He told TechCrunch that the source of the infringement was a group called “All Cyber-Cops Are Bastards,” a phrase mentioned in the defaced message.
TechCrunch reviewed data that included thousands of police files, as well as the company’s source code and internal databases. Encrypted data is not displayed.
A police document compiled by TechCrunch containing details of an upcoming raid uncovered by the breach. Image credit: TechCrunch (screenshot)
The data includes dozens of folders containing complete tactical plans for the next raid, including mugshots, fingerprints, biometric descriptions of suspects, and children, housemates, roommates, etc. present at the time of the raid. It contained other personal information, including information about possible individuals.Some of them described themselves as ‘not guilty'[inal] history. Many of the documents were labeled “Confidential Law Enforcement Only” and “Control Documents” and were never disclosed outside police departments.
Some files were labeled as test documents and used fake officer names such as “Superman” and “Captain America”. But ODIN also used his identity in the real world, like a Hollywood actor, who was unlikely to agree to have his name used. The document titled “Fresno House Raid” had no markings to suggest it was a test of his ODIN front system, but stated that the purpose of the raid was to “find a home to live in.” was mentioned.
The leaked cache of ODIN data also contained a system for monitoring sex offenders. It allows police and parole officers to register, supervise and monitor convicted offenders. The cache contained over 1,000 documents of hers related to convicted sex offenders who must be registered with California. This included names, home addresses (if not incarcerated), and other personal information.
The data also contains large amounts of personal information about individuals, such as surveillance technology used by law enforcement to identify or track individuals. TechCrunch found several screenshots showing people’s faces matched against a facial recognition engine called AFR Engine, a company that provides facial matching technology to police. One photo appears to show a police officer forcing a person’s head in front of another officer’s cell phone camera.
Other files show police use an automated license plate reader known as ANPR that can identify where a suspect has recently driven. Another document contained all the contents of the convicted offender’s mobile phone, including text messages and photos of her. One folder contained audio recordings of police interactions, in some of which officers could be heard using force.
TechCrunch has contacted multiple US police who found files among the stolen data. No one responded to the request for comment.
ODIN’s website, which went offline shortly after being compromised, remains inaccessible as of Thursday.
If you have more information about the ODIN Intelligence breach, please contact Signal and WhatsApp’s security desk at +1 646-755-8849 or email zack.whittaker@techcrunch.com.