A trove of Minnesota law enforcement data was published online after hackers broke into the servers of a vendor of the Minnesota Bureau of Criminal Apprehension and Hennepin County Sheriff’s Office.
The sensitive information includes details about key Minnesota security and intelligence personnel at every level of government.
Also released were personally identifying contact information for security personnel for critical infrastructure sites in Minnesota like nuclear power plants, chemical processing facilities, rail networks, pipelines, hospitals and campuses of major employers and schools.
Information on over 9,000 government and industry personnel dating back over 15 years were divulged in a breach of data from ICEFISHX, an intelligence sharing and emergency alert website, which is part of the Minnesota Fusion Center, the intelligence wing of the Minnesota Bureau of Criminal Apprehension.
The breach of data of the Hennepin County Sheriff’s Office included the names and contact information of approximately 1,500 first responders, corporate security personnel and key security staff at sports stadiums, all who participated in their “Shield” information sharing program.
Names, titles, ranks, employers, addresses, mobile phone numbers, pager numbers, email addresses, IP addresses and more were included in the databases, and some entries noted the importance of some of the members and the sensitivity of their facilities.
“Monitoring of the electrical grids for Minnesota and surrounding states,” said one entry in the Minnesota Fusion Center database. “[O]ne of the largest user[s] and packag[er] of Chlorine (UN1017) in the Upper Midwest,” read another. “Our [redacted by the Minnesota Reformer] plant makes bullets and our [redacted by the Minnesota Reformer] site tests new explosives and equipment,” said another line in the file. In many cases, the Minnesota Fusion Center had categorized individuals in the databases into groups like “Agricultural Chemicals” and “Nuclear Materials and Waste.”
The Reformer verified that several of the cell phone numbers included in the data breach were accurate, including an assistant chief at Minneapolis FBI; the chief operating officer of the Federal Reserve Bank of Minneapolis; a military antiterrorism officer; an intelligence research specialist at the DEA; high-level security staff at a Minnesota nuclear power plant; and employees who operate the corporate command centers and cyber threat response groups at two large publicly-traded companies.
The stolen data was contained in “BlueLeaks,” which is being called the largest leak of U.S. law enforcement data in history, and was published online in mid-June by Distributed Denial of Secrets, a team of transparency activists who say they have no political leaning.
Spokespersons for the Minnesota Bureau of Criminal Apprehension, Minnesota Homeland Security Emergency Management, and Hennepin County Sheriff’s Office were reached by phone and email for comment, but did not provide a response by the time of publication.
Immediately after publication, Jill Oliveira, spokeswoman for the BCA, provided a statement, which said the data was illegally obtained.
“The Minnesota Fusion Center has received from the FBI a copy of the portion of the stolen documents related to Minnesota Fusion Center activities. The Fusion Center is in the process of evaluating the data for not public information on individuals and will notify individuals as needed,” said Oliveira.
The hacked data included over 20,000 files, such as intelligence briefings, software code, suspicious activity alerts, COVID-19 situation reports, violent offender advisories, as well as internal information such as codewords to use when reporting suspected terrorist activity. But some of the most sensitive data might be information on first responders and those keeping Minnesota’s critical infrastructure safe.
Aside from passwords, the information in the leak was not encrypted, suggesting major shortcomings in the information security practices of both Minnesota state government and its largest jurisdiction, Hennepin County. The Reformer presented a list of questions to the Minnesota Department of Public Safety about whether they are investigating the breach, whether any of the individuals named in the breach had been informed, and what steps have been taken in the nearly month since the information was published online. The agency did not respond.
Because some of the data stolen in the hack was not public under law, the hacking may qualify as a data breach, requiring the government agencies involved to provide notice to individuals in the database. Several people whose data was leaked told the Reformer they had not been informed of the breach, despite the agencies’ legal obligation to do so.
One federal law enforcement officer who works undercover said they had no knowledge that their name, agency affiliation and cell phone number had been published on the Internet.
The stolen data included identifying information on personnel who work in security and intelligence at local police departments and sheriff’s offices, ambulance companies and hospitals, emergency management teams throughout the Twin Cities metro area, Metro Transit, the Federal Reserve Bank, courthouse security, chemical threat and pandemic teams at the Minnesota Department of Health, conservation officers, military force protection and intelligence teams and federal officers at the ATF, FBI, Secret Service, ICE and the U.S. Marshals.
The hacked data had been housed at Netsential, a vendor of both the Minnesota Bureau of Criminal Apprehension and Hennepin County Sheriff’s Office.
“Netsential can confirm its web servers were recently compromised,” read a statement posted on the company’s website. “We have enhanced our systems and will continue to work with law enforcement to mitigate future threats.”
Mark Lanterman, chief technology officer at Computer Forensic Services and a former member of a Secret Service Electronic Crimes Task Force, said the breach highlights the risks of outsourcing: “This shows that you’re only as secure as your vendors,” he said. Audits to ensure vendor compliance with security requirements are common in the private sector, but not government, he said.
“Law enforcement has decided to outsource some of their needs to vendors that perhaps they should have been auditing,” Lanterman said. “There’s no such thing as perfect security, and without someone conducting an audit, they’re still at risk.”
He said the typical advice of changing passwords after a data breach still applies, but that this type of data breach presents a broader safety issue.
“My guess is half of law enforcement read about [BlueLeaks] as a headline, didn’t bother to read the rest of the article, and is totally oblivious to what data is out there,” said Lanterman. “I really think law enforcement needs to reevaluate how they’re managing this.”
Asked what law enforcement agencies should do now that the data has spread across the internet, Lanterman said: “Pray.”