Detailed tactical plans for imminent police raids, confidential police reports with descriptions of alleged crimes and suspects, and a forensic extraction report detailing the contents of a suspect's phone. These are some of the files in a huge cache of data taken from the internal servers of ODIN Intelligence, a tech company that provides apps and services to police departments, following a hack and defacement of its website over the weekend.
The group behind the breach said in message left on ODIN's website that it hacked the company after its founder and chief executive Erik McCauley dismissed a report by Wired, which discovered the company's flagship app SweepWizard, used by police to coordinate and plan multi-agency raids, was insecure and spilling sensitive data about upcoming police operations to the open web.
The hackers also published the company's Amazon Web Services private keys for accessing its cloud-stored data and claimed to have "shredded" the company's data and backups but not before exfiltrating gigabytes of data from ODIN's systems.
ODIN develops and provides apps, like SweepWizard, to police departments across the United States. The company also builds technologies that allow authorities to remotely monitor convicted sex offenders. But ODIN also drew criticism last year for offering authorities a facial recognition system for identifying homeless people and using degrading language in its marketing.
ODIN's McCauley did not respond to several emails requesting comment prior to publication but confirmed the hack in a data breach disclosure filed with the California attorney general's office.
The breach not only exposes vast amounts of ODIN's own internal data but also gigabytes of confidential law enforcement data uploaded by ODIN's police department customers. The breach raises questions about ODIN's cybersecurity but also the security and privacy of the thousands of people — including victims of crime and suspects not charged with any offense — whose personal information was exposed.
The cache of hacked ODIN data was provided to DDoSecrets, a nonprofit transparency collective that indexes leaked datasets in the public interest, such as caches from police departments, government agencies, law firms and militia groups. DDoSecrets co-founder Emma Best told TechCrunch that the collective has limited the distribution of the cache to journalists and researchers given the vast amount of personally identifiable data in the ODIN cache.
Little is known about the hack or the intruders responsible for the breach. Best told TechCrunch that the source of the breach is a group called "All Cyber-Cops Are Bastards," a phrase it referenced in the defacement message.
TechCrunch reviewed the data, which not only includes the company's source code and internal database but also thousands of police files. None of the data appears encrypted.
A police document, redacted by TechCrunch, with full details of an upcoming raid exposed by the breach. Image Credit: TechCrunch (screenshot)
The data included dozens of folders with full tactical plans of upcoming raids, alongside suspect mugshots, their fingerprints and biometric descriptions and other personal information, including intelligence on individuals who might be present at the time of the raid, like children, cohabitants and roommates, some of whom described as having "no crim[inal] history." Many of the documents were labeled as "confidential law enforcement only" and "controlled document" not for disclosure outside of the police department.
Some of the files were labeled as test documents and used fake officer names like "Superman" and "Captain America." But ODIN also used real world identities, like Hollywood actors, who are unlikely to have consented to their names being used. One document titled "Fresno House Search" bore no markings to suggest the document was a test of ODIN's front-facing systems but stated the raid's objective was to "find a house to live in."
The leaked cache of ODIN data also contained its system for monitoring sex offenders, which allows police and parole officers to register, supervise and monitor convicted criminals. The cache contained more than a thousand documents relating to convicted sex offenders who are required to register with the state of California, including their names, home addresses (if not incarcerated) and other personal information.
The data also contains a large amount of personal information about individuals, including the surveillance techniques that police use to identify or track them. TechCrunch found several screenshots showing people's faces matched against a facial recognition engine called AFR Engine, a company that provides face-matching technology to police departments. One photo appears to show an officer forcibly holding a person's head in front of another officer's phone camera.
Other files show police using automatic license plate readers, known as ANPR, which can identify where a suspect drove in recent days. Another document contained the full contents — including text messages and photos — of a convicted offender's phone, whose contents were extracted by a forensic extraction tool during a compliance check while the offender was on probation. One folder contained audio recordings of police interactions, some where officers are heard using force.
TechCrunch contacted several U.S. police departments whose files were found in the stolen data. None responded to our requests for comment.
ODIN's website, which went offline a short time after it was defaced, remains inaccessible as of Thursday.
If you know more about the ODIN Intelligence breach, get in touch with the security desk on Signal and WhatsApp at +1 646-755-8849 or email@example.com by email.