Anonymous Hackers Expose Sensitive Law Enforcement Data
The data, which Anonymous hackers posted to Pastebin.com, was sourced to 76 law enforcement agencies’ Web sites in 11 states, including Arkansas, Kansas, Louisiana, Missouri and Mississippi. Most of the Web sites were hosted by Arkansas-based online marketing firm Brooks-Jeffrey Marketing.
Altogether, the cache of lifted data contained confidential e-mail messages from sheriff departments as well as passwords, Social Security numbers and credit card information.
“A week after we defaced and destroyed the Web sites of over 70 law enforcement agencies, we are releasing a massive amount of confidential information that is sure to embarrass, discredit and incriminate police officers across the U.S.” Anonymous hackers said in a Pastebin blog post. "Over 10GB of information was leaked including hundreds of private email spools, password information, address and social security numbers, credit card numbers, snitch information, training files and more.”
While many of the e-mails appeared to be related to routine business, some contained sensitive materials such as information pertaining to ongoing investigations, tips about suspected criminals or activities, and security training techniques.
Anonymous attacked the Brooks-Jeffrey servers July 31. However, the online marketing firm relaunched them with the malware still intact, opening the organization up for another round of attacks.
"'Their bigger, faster server that offers more security’ carried over our backdoors from their original box. This time we were not going to hesitate to pull the trigger," Anonymous said.
Hackers claimed to release the police data in retaliation for recent arrests of suspected members of both Anonymous and the spin-off hacking group LulzSec. In July, the FBI arrested 16 alleged members of Anonymous allegedly linked to a Pay Pal attack earlier this year.
“We stand in support of all those who struggle against the injustices of the stat and capitalism using whatever tactics are most effective, even if that means breaking their laws in order to expose their corruption,” Anonymous hackers said in the blog. “You may bust a few of us, but we greatly outnumber you, and you can never stop us from continuing to destroy your systems and leak your data.”
The attacks were part of the AntiSec campaign, a concerted effort to target corporations as well as law enforcement agencies and governments. The effort was reinvigorated in June, when LulzSec claimed to be absorbed back into its parent hacker group Anonymous following a 50-day hacking rampage..
The nationwide attack on law enforcement agencies is hardly the first for the Anonymous-Lulzsec collective. Earlier this year, LulzSec hacked into the Arizona Department of Public Safety in protest of the state’s controversial immigration laws.
However, security experts contend that this particular attack differs from others. Mike Paquette, chief strategy officer at Top Layer Security, said that that instead of just public humiliation, the released information could have serious consequences for individuals who anonymously tipped the law enforcement agency with information about a crime.
“This is more scary than just identity theft in the sense that people could be put physically at risk due to this data breach,” Paquette said in an e-mail.“This is a new twist where we have law enforcement information being stolen. Allegedly the emails that were stolen were anonymous tips to report crimes. When that information is disclosed publicly, it could put people at physical risk too. If a person made a tip about an organized crime, they could be put in jeopardy as some crime organizations do not hesitate to use physical intimidation.”
Security experts say that the recent attack on the rural law enforcement agencies differed slightly from the others in that the hackers also swiped unencrypted credit card numbers from the Brooks-Jeffery servers for illegal use.
“In this case, they did find credit card numbers lying around in the clear on servers and used them to make donation to various charities. They hadn’t done anything like that before,” said Wasim Ahmad, vice president of data security at Voltage Security. “Doing the credit card transaction was kind of an extra display of their arrogance.”