Hackers who have previously targeted police department or law enforcement-related web sites have struck three more sites in the past few days – one in Texas and two in Alabama:
The Alabama Department of Public Safety (dps.alabama.gov) was hacked by @cabincr3w and w0rmer. Seven spreadsheets with information on sex offenders and limited information on the victims and the crimes, as well as a database listing offenders’ car make, model, and license plate number were all dumped on the Internet. Inspection of the spread sheets indicates that no names were dumped, but it might be possible to recognize particular cases of child sexual abuse or rape by the dates of the arrests and the description of the crime and victim’s age if a case had been reported in the media or occurred in a small town. Similarly, while offenders names were not included in the data dump, their vehicle information and license plate number were. It’s not clear whether the hackers also acquired other files or databases that would enable identification of what appear to be unique IDs. Their paste provides a list of tables they found.
(Update: in response to a query from this blog, they state that they did acquire such files but chose not to dump them:
The hack was announced yesterday on Twitter. DPS’s web site has been offline since then.
In a second hack, announced today on Twitter, @CabinCr3w and w0rmer attacked the Texas Department of Public Safety (www.txdps.state.tx.us) although they didn’t dump any sensitive information. The Dallas Police Department and Texas Police Chiefs Association had previously been hacked.
In the third breach, the City of Mobile Police Department in Alabama’s web site was attacked by CabinCr3w, Kahuna, and w0rmer. In a statement accompanying a limited and redacted data dump, the hackers write:
We at the Cabin have been monitoring your recent racist legislation in an attempt to punish immigrants as criminals. The authorities in the state of Alabama are now able to question people suspected of being in the country illegally and hold them, and officials are able to check the immigration status of students in public schools. We will not idly stand by as this happens. You complain about immigrants costing the state money, however, you do not care about spending the same money to protect your own legal citizens. You say you have no money for immigrants but that’s because you are cutting money from programs everywhere including those which reduce crime. You will be feeding those funds into the soon to be too big to scale prison system. Cutting spending only shifts the cost from preparedness and healthy economy to more crime and suffering. Cutting spending does not cut cost.
We targeted your police and government servers, and as a result of this journey through the nether of your servers, we have stumbled across a treasure trove of data belonging to people in the state of Alabama. Unlike you, we are not criminals. We believe in protecting citizens’ personal data. Because of your police being lazy when it comes to data security, we have acquired the following information of over 46,000 citizens of the state of Alabama:
Full Legal Names
Social Security Numbers
License Plate Numbers
Date of Births
This was not our desire, or our goal. Your police administrators have made a terrible mistake and put the lives of Tens of Thousands of people in jeopardy. Because of the possible cost of lives and money to regular citizens, we are deleting this data and are seeking to make it known that you not only have shown zero regard for immigrants, but for the very citizens that live in the great state of Alabama.
One of the hackers, Kahuna, also pointed out that the department had failed to detect the breach, even days later:
— Kahuna (@ItsKahuna) February 9, 2012
Even if the Mobile Police Department has been busy and didn’t manage to notice that police departments are under cyberattack, why on earth were they storing so many SSNs without encryption? Although I imagine that the people of Alabama will be more ticked off at the hackers than their own law enforcement, they really should be demanding answers as to why so much personal information was not adequately secured.
As of the time of this posting, the department does not appear to be aware that it has been hacked as the server is still online. I sent them an inquiry asking for a response to the breach and will update this entry if I get a response.
Update 1: The Mobile PD was notified of the breach by DataBreaches.net via their contact form. When there was no response and the site was still up hours later, this blogger called them to make sure they understood that they had been hacked and that the information remained vulnerable.
Update 2: As of Friday morning, their site is still online. I hope they have secured the vulnerable database, but have received no response from them to the email and phone notifications by this blog.
Update/Correction 3: The city claims it was not the police department server that was hacked but the city webmaster’s server and that the database was from an amnesty program. They claim that all the data were public information. Social Security Numbers? Really?