ODIN Intelligence hack reveals large trove of police raid files • TechCrunch

Detailed tactical plans for impending police raids, confidential police reports describing alleged crimes and suspects, and a forensic recovery report detailing the contents of a suspect’s phone. These are some of the files in a huge cache of data pulled from the internal servers of ODIN Intelligence, a technology company that provides apps and services to police departments, after a hack and defacement of its website over the weekend.

The group behind the breach said in a message left on ODIN’s website that it hacked the company after founder and CEO Erik McCauley dismissed a report from Wired that discovered the company’s flagship app SweepWizard was used by police to coordinate and plan attacks from several agencies, was insecure and leaked sensitive data about upcoming police operations to the open web.

The hackers also published the company’s private Amazon Web Services keys for accessing cloud-stored data and claimed to have “shredded” the company’s data and backups, but not before exfiltrating gigabytes of data from ODIN’s systems.

ODIN develops and delivers apps, such as SweepWizard, to police departments across the United States. The company also builds technologies that allow authorities to remotely monitor convicted sex offenders. But ODIN also came under fire last year for offering the government a facial recognition system to identify homeless people and using derogatory language in its marketing.

ODIN’s McCauley did not respond to multiple emails seeking comment before publication, but confirmed the hack in a data breach disclosure filed with the California attorney general’s office.

The breach exposed not only massive amounts of ODIN’s own internal data, but also gigabytes of confidential law enforcement data uploaded by ODIN’s police department customers. The breach raises questions about ODIN’s online security, but also the safety and privacy of thousands of people — including crime victims and suspects not charged with any crime — whose personal data was exposed.

The cache of hacked ODIN data was given to DDoSecrets, a nonprofit transparency collective that indexes leaked datasets in the public interest, such as caches from police departments, government agencies, law firms and militia groups. DDoSecrets co-founder Emma Best told TechCrunch that the collective has limited distribution of the cache to journalists and researchers given the huge amount of personally identifiable data in the ODIN cache.

Little is known about the hack or the intruders responsible for the breach. Best told TechCrunch that the source of the breach is a group called “All Cyber-Cops Are Bastards,” a phrase it referenced in the defacement message.

TechCrunch reviewed the data, which includes not only the company’s source code and internal database, but also thousands of police files. None of the data is displayed encrypted.

a screenshot of a tactical report, with redactions from TechCrunch to remove personal and sensitive information exposed by the breach.

A police document, redacted by TechCrunch, with full details of an upcoming raid revealed by the breach. Image credit: TechCrunch (screenshot)

The data included dozens of folders with full tactical plans for upcoming raids, along with suspects’ mugshots, their fingerprints and biometric descriptions and other personal information, including intelligence on individuals who may be present at the time of the raid, such as children, roommates and roommates, some of them described as having “no crime[inal] history.” Many of the documents were marked “confidential law enforcement only” and “controlled document” not for disclosure outside the police department.

Some of the files were marked as test documents and used fake officer names such as “Superman” and “Captain America.” But ODIN also used real-world identities, such as Hollywood actors, who are unlikely to have consented to their names being used. A document titled “Fresno House Search” bore no markings suggesting the document was a test of ODIN’s front-facing systems, but stated that the raid’s goal was to “find a house to live in.”

The leaked cache of ODIN data also contained the Sex Offender Monitoring System, which allows police and parole officers to register, monitor and monitor convicts. The cache contained more than a thousand documents related to convicted sex offenders required to register in the state of California, including names, home addresses (if not incarcerated) and other personal information.

The data also contains a large amount of personal information about individuals, including the surveillance techniques that the police use to identify or track them. TechCrunch found several screenshots showing people’s faces matched against a facial recognition engine called AFR Engine, a company that provides face-matching technology to police departments. One photo appears to show an officer forcibly holding a person’s head in front of another officer’s phone camera.

Other files show that police use automatic number plate readers, known as ANPR, which can identify where a suspect has been driving in recent days. Another document contained the full contents — including text messages and photos — of a convicted offender’s phone, the contents of which were extracted by a forensic recovery tool during a compliance check while the offender was on probation. One folder contained audio recordings of police interactions, some in which officers are heard using force.

TechCrunch contacted several US police departments whose files were found in the stolen data. No one responded to our requests for comment.

ODIN’s website, which went offline shortly after it was destroyed, remains unavailable as of Thursday.

If you know more about the ODIN Intelligence breach, please contact the security desk at Signal and WhatsApp at +1 646-755-8849 or [email protected] via email.

Leave a Reply

Your email address will not be published. Required fields are marked *