Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Government Privacy United States

A Massive Cache of Law Enforcement Personnel Data Has Leaked (zdnet.com) 68

Zack Whittaker, reporting for ZDNet: A data breach at a federally funded active shooter training center has exposed the personal data of thousands of US law enforcement officials, ZDNet has learned. The cache of data contained identifiable information on local and state police officers, and federal agents, who sought out or underwent active shooter response training in the past few years. The backend database powers the website of Advanced Law Enforcement Rapid Response Training -- known as ALERRT -- at Texas State University. The database dates back to April 2017 and was uploaded a year later to a web server, believed to be owned by the organization, with no password protection. ZDNet obtained a copy of the database, which was first found by a New Zealand-based data breach hunter, who goes by the pseudonym Flash Gordon.
This discussion has been archived. No new comments can be posted.

A Massive Cache of Law Enforcement Personnel Data Has Leaked

Comments Filter:
  • by QuietLagoon ( 813062 ) on Friday June 29, 2018 @10:55AM (#56865796)

    ...uploaded a year later to a web server, believed to be owned by the organization, with no password protection....

    Whoever put into place this stunningly amazing illustration of absolute ignorance about security should never be allowed near a keyboard again.

    • In an ideal world. In ours, I'm sure it will be found they acted completely appropriately and 100% of the blame (and charges) will fall on whoever downloaded their wide open file.
      • by dknj ( 441802 )

        I'm thinking about reality, and catchign this problem may be very difficult.

        What if this company (before it had strict IT controls in place) allowed employees to rent EC2 servers on their CC. Well DB/Windows/SysEngineerAdmin said let me spin up an EC2 server where I can dump my shit so I don't have to do stupid vpn tricks to move data around. He then lets others use said server, then forgets about it because what's $20/mo when you're making IT money? Someone stages a prod SQL dump with a random ass name

  • by Anonymous Coward on Friday June 29, 2018 @10:55AM (#56865800)

    The way law enforcement has decided they don't give a fuck about our privacy, I'm afraid I have little sympathy for this.

    If you're in charge of this kind of information, and you put it on a server with no protection, you probably have no business in that job.

    Do the police expect us to care about their privacy when they don't care about ours?

  • Not A Problem (Score:5, Insightful)

    by StormReaver ( 59959 ) on Friday June 29, 2018 @10:55AM (#56865802)

    I'm sure that Law Enforcement is perfectly fine with the breach. After all, since they have nothing to hide, they have nothing to fear.

    Right?

  • What is the underlying problem for these data breaches? Sloppy admins? Inadequate management? Lack of funding to do the job properly?

    • by gweihir ( 88907 )

      The root cause is almost universally utterly clueless management. Whether it is by hiring people that cannot do the job, ignoring warnings or actively preventing competent people from fixing problems, it always comes down to failures in "leadership".

  • by Falconnan ( 4073277 ) on Friday June 29, 2018 @10:57AM (#56865814)
    This is why we need strong encryption and authentication as a legal requirement for all personal information databases. Law enforcement may not like it, but if they require backdoors on encryption schemes and access, this will continue to make them as vulnerable as everyone else. They have proven the argument they oppose for us. I get the problems this causes, but the damage allowed by not using proper data protection is generally much worse. And now they may end up learning this the hard way, and that's a shame.
    • by gweihir ( 88907 )

      Encryption does not help. These databases are _online_ when they get stolen. This is not somebody walking into a data-center and stealing disks.

      • by sjames ( 1099 )

        In this case, it wouldn't have. Other breeches involve grabbing files out of storage. In those cases it makes all the difference.

        • by gweihir ( 88907 )

          Sure, you need storage encryption. It is just rare that it helps for this type of problem, because these "other breaches" are very rare exceptions. They typically involve laptops getting stolen or backup media getting disposed of insecurely.

          Incidentally, "breeches" are a type of riding pants.

          • by sjames ( 1099 )

            They also happen when someone sets their AWS s3 permissions wrong or someone gets a shell on the server. Occasionally because someone's PHP doesn't sanitize requests.

            • by gweihir ( 88907 )

              For the case where somebody has a shell or somebody screwed up web-application security, encryption is worthless assuming the data gets accessed. If it does not get accessed, it qualifies as "backup". Encryption only protects data that is not in use. If you put confidential data on s3 for other purposes than encrypted backup, you deserve all the hurt that is coming your way.

    • by Anonymous Coward

      The problem is not that we have all this sensitive information left out in the open. The problem is that it exists in the first place. Our great grand parents would be shocked that there is one social security number being used to identify and control all the citizens in the USA. They would saddened that the once freedom loving USAians are so happy with this fact.

      Social security numbers were invented by the elite so they could cheaply and easily identify and hand out allotments and collect payments from

    • That helps some, but isn't the complete solution. You still have to be able to access the data in an automated way.

      For example, we use encrypted columns with Microsoft's attempt at an SQL server, and of course if you have a bug in your web app then that doesn't help since it will still expose unencrypted data. Another example is using encrypted at rest file systems. Doesn't help when the drive is mounted.

  • by greenwow ( 3635575 ) on Friday June 29, 2018 @11:05AM (#56865876)

    Or not.

    • by Anonymous Coward

      If the OPM data breach didn't change anything, nothing will.

      • That incident didn't get near the coverage in the media that it deserved. It contained potentially incriminating data including mental health and financial records from background checks for over 20 million people. It's a gold mine of potential blackmail information that could be used against our federal employees and military.

        • by Anonymous Coward

          That happened under Obama so the media basically swept it under the rug.

          You didn't mention the 5+ million fingerprints also stolen.

          > potential blackmail

          A Chinese citizen was arrested by the FBI for creating the malware used in the attack.

          • Re: (Score:3, Informative)

            by Desler ( 1608317 )

            That happened under Obama so the media basically swept it under the rug.

            It was reported on every major news outlet when it happened. So that's a strange notion of "sweeping under the rug" you've got there.

          • by Desler ( 1608317 )

            Just from searching the WaPo archives I found more than 4 or 5 dozen stories about the OPM breach going on for months after it was fully disclosed. So, again, you have some weird idea of what "sweep under the rug" means.

            • by AHuxley ( 892839 )
              Reporting that the data moved out of the USA was not reporting on why the data to moved out and why nothing was done to protect the data once access was discovered. The US gov watched for a long time. Nothing was done. The data movement out of the USA was watched. The full data set was allowed to be copied.
        • by Anonymous Coward

          Yep. It's a directory of every single person - military, civilian, or contractor - who holds or has ever held a security clearance, including all their most sensitive information, all their dirty laundry, and a convenient list of all their family members and closest friends.

          Seriously, this should have been the MOST classified database in the entire world. If there was only one thing deserving SCI protection, it should have been this.

          But nope. They let China log right in and download it. And who knows wh

  • by Jeremy Erwin ( 2054 ) on Friday June 29, 2018 @11:15AM (#56865944) Journal

    That data alone would give anyone insight into the capabilities of police and law enforcement departments across the country.

    Might actually be useful for formulating public policy. And ultimately, who's in charge of formulating pubic policy?
    That's right.

    THE PUBLIC!

  • Too Late, this was already stolen in the OPM (Office Of Personnel Management) breach. Remember, the OPM breach compromised every single federal worker, military person, and everyone who had gone through a top secret back ground check - as all FS86 forms were stolen. Most high level officers have gone through this.
    • Re:Already Leaked (Score:5, Interesting)

      by bill_mcgonigle ( 4333 ) * on Friday June 29, 2018 @02:08PM (#56867142) Homepage Journal

      Remember, the OPM breach compromised every single federal worker

      The Chicoms got a copy of the OPM database but you can't get it on the dark web, like this one will be. That's a major difference.

      I know one of our fellow /.'ers who was seriously trying to get a copy of the OPM database. He turned up suddenly dead last year with a self-inflicted gunshot wound. Probably a coincidence, but he was insistent that I turn off my cell phone before talking about it. No joke - I gave him a copy of Tails as I do for everybody but I have no evidence of causality there.

      I only know a few of y'all in person, but you're the best kind of crazy friends.

  • by Comboman ( 895500 ) on Friday June 29, 2018 @11:38AM (#56866120)
    US law enforcement types love to blame the messenger rather than take responsibility for their mistakes.
  • I keep hearing every other day about "massive" data leaks, but then I never find any kind of link or indication of where you actually get the data. I have the Tor browser installed, but never find any .onion that actually works or has any content on it. These leaks are certainly not available on The Pirate Bay as torrents. I have no idea where to get it.

  • A Massive Cache of Law Enforcement Personnel Data Has Leaked

    SJW donut shop revenues [yahoo.com] hardest hit.

    • A Massive Cache of Law Enforcement Personnel Data Has Leaked

      SJW donut shop revenues [yahoo.com] hardest hit.

      You see, because SJW owners of donut shops will know who they are and feel obligated to refuse service to them and ... oh forget it ;)

      It was funny inside my head ...

      • A Massive Cache of Law Enforcement Personnel Data Has Leaked

        SJW donut shop revenues [yahoo.com] hardest hit.

        You see, because SJW owners of donut shops will know who they are and feel obligated to refuse service to them and ... oh forget it ;)

        It was funny inside my head ...

        See, the fact that I had to explain the humor means that I was myself acknowledging how weak it was ... which is funny in a meta kind of ironic way ...

        (It's humorsplaining Friday, apparently)

    • by Desler ( 1608317 )

      But it would have been fine had Sanders been a lesbian, though, right?

  • Seriously, Slashdot. Where's the fucking link?

In the long run, every program becomes rococco, and then rubble. -- Alan Perlis

Working...