In-brief: The web site of the Fraternal Order of Police, an organization representing law enforcement officers in the United States, was offline Friday after reports that data stolen from the Order was posted online.
The web site of the Fraternal Order of Police, an organization representing law enforcement officers in the United States, was offline Friday after reports that data stolen from the Order was posted online.
The Fraternal Order of Police has more than 325,000 members in 2100 local chapters. Links to data purporting to belong to the Order appeared Thursday, including a 1 gigabyte archive named “GrandLodge_DB_Backup” and another 7 megabyte archive labeled “Jforum_backup.” The links were circulated via Twitter by The Cthulhu (@CthulhuSec). That account has been linked in the past to Thomas White, a UK-based civil liberties and privacy advocate. An e-mail to White seeking comment on the link was not responded to prior to publication. White and The Cthulhu account have been linked to the release of data from previous hacks, including data from the grey hat group The Hacking Team and the crowd funding site Patreon.
Contacted by The Security Ledger, The Fraternal Order of Police was not immediately available to offer comment on the apparent security breach.
In a blog post, The Cthulhu said the stolen data was provided by an unnamed source as a public service and “in light of an ever-increasing divide between the police groups and the citizens of the US.”
“My role in this is to ensure the information is accessible to all so that a proper analysis may be done by both established media outlets and individual investigators who wish to expose any wrongdoing,” the post reads.
The Security Ledger has not viewed the stolen data. A report from The Guardian says that the dump contains “hundreds of contracts between regional authorities and local fraternal order of police lodges.” Those contracts are rarely subject to public scrutiny and, in recent months, have been targeted as a tool for shielding police officers from disciplinary action.
Further, The Cthulhu claims that the 1 gigabyte of leaked data is a small fraction of the data stolen, which totals 18 terabytes and includes “information that is classified or sensitive.” That data has not been made public, but The Cthulhu issued a veiled warning to “any police found to be interfering with the free press or activists wanting to expose wrongdoing” that their name would be “at the top of the list for material releases”.
The exact mechanism by which hackers obtained the data from the Fraternal Order of Police isn’t known. However, the Order’s decision to take its web site offline suggests that it may have been the root of the attack – perhaps via an application attack. Surveys of web site security find that well known vulnerabilities such as SQL injection continue to be common.
A report released this week from the Online Trust Association estimated that nine of every ten data breaches that occurred in the first eight months of 2015 was “easily avoidable” using simple and well-established security practices, such as applying software patches to a server.