Detailed tactical plans for threatened police raids, confidential police reports describing alleged crimes and suspects, and a forensic extraction report detailing the contents of a suspect’s phone. These are some of the files in a massive cache of data that came from the internal servers of ODIN Intelligence, a technology company that provides apps and services to police forces, after a hack and corruption of its website over the weekend.
The group behind the breach said in a post on ODIN’s website that it hacked into the company after its founder and CEO fired Erik McCauley a report from Wiredwhich found that the company’s flagship app SweepWizard, used by law enforcement to coordinate and plan multi-agency raids, was insecure and was spreading sensitive data about upcoming police operations to the open web.
The hackers also published the company’s Amazon Web Services private keys to access its cloud-stored data and claimed to have “shredded” the company’s data and backups, but not before extracting gigabytes of data from the company’s systems. ODIN had exfiltrated.
ODIN develops and supplies apps, such as SweepWizard, to police forces in the United States. The company is also building technologies that allow authorities to track convicted sex offenders remotely. But ODIN was also criticized last year for offering authorities a facial recognition system identify homeless people and using demeaning language in its marketing.
ODIN’s McCauley did not respond to several emails asking for comment ahead of publication, but confirmed the hack disclosure of a data breach filed with the California Attorney General’s Office.
The breach exposes not only vast amounts of ODIN’s own internal data, but also gigabytes of confidential law enforcement data uploaded by ODIN’s Police Department clients. The breach raises questions about ODIN’s cybersecurity, as well as the safety and privacy of the thousands of people – including crime victims and suspects not charged with any crime – whose personal information has been disclosed.
The cache of hacked ODIN data has been provided to DDoSecrets, a non-profit transparency collective that indexes leaked datasets in the public interest, such as police, government, law firm and militia caches. DDoSecrets co-founder Emma Best told TechCrunch that the collective is taking over the distribution of the cache for journalists and researchers given the huge amount of personally identifiable data in the ODIN cache.
Little is known about the hack or the intruders responsible for the breach. Best told TechCrunch that the source of the breach is a group called “All Cyber-Cops Are Bastards,” a phrase it refers to in the defacement post.
TechCrunch reviewed the data, which includes not only the company’s source code and internal database, but also thousands of police files. None of the data appears encrypted.
The data includes dozens of folders containing full tactical plans of upcoming raids, in addition to suspected mugshots, their fingerprints and biometric descriptions, and other personal information, including information about individuals who may have been present at the time of the raid, such as children, cohabitants, and roommates. some of whom described as having “no crime[inal] history.” Many of the documents had been labeled “law enforcement confidential only” and “controlled document” not to be disclosed outside of the police force.
Some files were labeled as test documents and used false officer names such as “Superman” and “Captain America.” But ODIN also used real-world identities, such as Hollywood actors, who probably didn’t consent to their names being used. A document titled “Fresno House Search” contained no markings suggesting the document was a test of ODIN’s forward-facing systems, but stated that the purpose of the raid was to “find a house to live in”.
The leaked cache of ODIN data also contained the sex offender monitoring system, which allows police and probation officers to record, escort and monitor convicted criminals. The cache contained over a thousand documents related to convicted sex offenders required to register with the state of California, including their names, home addresses (if not incarcerated), and other personal information.
The data also contains a large amount of personal information about individuals, including the surveillance techniques used by the police to identify or track them. TechCrunch found several screenshots comparing people’s faces to a facial recognition engine called AFR Engine, a company that provides facial recognition technology to police departments. One photo appears to show an officer forcibly holding a person’s head in front of another officer’s phone camera.
Other files show police using automatic license plate readers, known as ANPR, which can identify where a suspect has been driving in recent days. Another document contained the entire contents — including text messages and photos — of a convicted offender’s phone, the contents of which were extracted by a forensic extraction tool during a compliance check while the offender was on probation. One folder contained audio recordings of police interactions, some where officers were heard using force.
TechCrunch contacted several US law enforcement agencies whose files were found in the stolen data. No one responded to our requests for comment.
ODIN’s website, which went offline for a short time after it was blacked out, will be unavailable as of Thursday.
If you know more about the ODIN Intelligence breach, please contact the security desk on Signal and WhatsApp at +1 646-755-8849 or [email protected] by email.