The Perils of Third-Party Breaches – Fusion Centers, Police Departments, and Others Impacted by #BlueLeaks Trove of Stolen Data

On Friday, June 19, 2020, an Anonymous-aligned hacktivist group Distributed Denial of Secrets (DDoSecrets) published nearly 270GB of data stolen from technology service provider Netsential. DDoSecrets is a WikiLeaks-style organization that describes itself as a “transparency collective” whose goal is the “free transmission of data in the public interest” and Netsential manages portals for content delivery and membership for many law enforcement organizations, including police departments, fusion centers, and the FBI. The trove of data was dubbed “#BlueLeaks” and includes images, documents, tables, web pages, text files, videos, audio files, and emails. According to DDoSecrets, they stole “ten years of data from over 200 police departments, fusion centers and other law enforcement training and support resources,” and that “among the hundreds of thousands of documents are police and FBI reports, bulletins, guides and more.” However, the National Fusion Center Association (NCFA) confirmed the leaked data dates back 24 years. According to researchers analyzing the data file, personally identifiable information (PII) is also among the stolen files. While passwords are believed to be encrypted, other PII was unencrypted. The breach is believed to have been the result of a compromised Netsential customer user account and the web platform’s upload feature to introduce malicious content, allowing for the exfiltration of other Netsential customer data; Netsential states they have remediated the exploited system. While the stolen documents, reports, and PII could be used for years come to create convincing phishing lures, this leak has the potential to compromise countless law enforcement investigations. This incident is not only a stark reminder of the importance of closely managing risk from third party supply chain entities, but the significance of security awareness and implementing user access controls, including multi-factor authentication to reduce account compromises – read WaterISAC’s 15 Cybersecurity Fundamentals for Water and Wastewater Utilities for discussions on each. Finally, given the close relationship between ISACs/ISAOs and fusion centers, WaterISAC is closely tracking developments and will report more information as it becomes available. Read more at KrebsOnSecurity