Fraternal Order of Police hacked, members’ data dumped

Jon Swaine and George Joseph report:

Private files belonging to America’s biggest police union, including the names and addresses of officers, forum posts critical of Barack Obama, and controversial contracts made with city authorities, were posted online Thursday after a hacker breached its website.

The Fraternal Order of Police (FOP), which says it represents about 330,000 law enforcement officers across the US, said the FBI was investigating after 2.5GB of data taken from its servers was dumped online and swiftly shared on social media. The union’s national site, fop.net, remained offline on Thursday evening.

“We have contacted the office of the assistant attorney general in charge of cyber crime, and officials from FBI field offices have already made contact with our staff,” Chuck Canterbury, the FOP’s national president, said in an interview.

Read more on The Guardian.

Joseph Cox of Motherboard takes a more critical look at the data and questions why FOP’s statement about the incident attributed the hack to Anonymous, as there’s nothing about this incident to suggest the involvement of Anonymous.  The FOP’s statement not only misattributes the hack (perhaps that’s intentional, though?), but consistently misspells “breach:”

We have learned today that our data system has been hacked by the Group known as Anonymous. It appears to have originated outside of the United States.

The data breech is a complete breech of our data and they have posted some of the data on Twitter.

The data posted to date is merely Bargaining Contracts that we have collected and inputed into our data system and those are all available on the open web.

They have however breeched all of our records and therefore we have shut down access to our entire site. We have engaged professionals to identify all the necessary steps we need to take to put our system back on line and it may take several days.

The Executive Board will be having a teleconference later today to discuss the breech and we will provide as timely information to you all as we can.

I am asking State Lodges to notify their local Lodges of the system being down and advise them we will put out an immediate notice when we can safely put the system back on line.

Our professional Computer experts have identified how the hackers made access but that information cannot be distributed at this time for obvious reasons. Suffice it to say that the level of sophistication was very high.

I am truly sorry that this is happened and we are working as hard as possible to take the necessary steps.

Chuck Canterbury

Aha… so this was a “sophisticated” attack? I’d love to know more about that.

An individual known as @CthulhuSec on Twitter took responsibility for dumping the data, but not for hacking/acquiring it, as explained in this statement. In an archived copy of the data dump, Cthulhu also states:

Note to irritated members of law enforcement

Don’t bother with legal threats or trying to get UK law enforcement to seek revenge. This is me playing nice.
If you want to go nuclear with me, feel free to do so, but trust me when I say you might want to think long and hard before you do.
I’m not known for bluffing, and I know many more of your secrets. About 18TB all in all actually, all unpublished yet.
“I dare you – I double dare you motherfucker”

The FOP claims that they don’t even have 18TB of data, but Cthulhu suggests that the data may include data from other sources.

As noted above, CthulhuSec claims to be in the U.K., and doesn’t seem particularly worried/concerned about facing any charges under U.S. hacking laws in the U.S. And although U.S. law enforcement may wish to pursue this case to make a point, the fact that this is the fraternal order of police and not an actual law enforcement agency diminishes the significance of the types of data that might be found (e.g., police departments may negotiate for surveillance equipment, but their fraternal order wouldn’t be involved in such activities). While there may be some “controversial contracts” or inflammatory forum posts, I doubt many “smoking guns” will be found, although people will be upset by the attempts to shield police from disciplinary action.  But is there anyone who thinks that the organization wouldn’t be doing that? This is not news.  In any event, I would guess that the U.S. wouldn’t pursue any extradition and if there are any charges for dumping the data, they would be faced in the U.K., whose penalties are much less severe than the U.S.’s.

In many respects, this action and data dump is reminiscent of what we saw in 2012 when several individuals targeted police departments and associated organizations. And while the hack – as hacktivism – might have seemed justifiable to some after Ferguson and other highly publicized cases, this blogger fails to see the point in attacking FOP or dumping its members’ names and addresses.

Consistent with this site’s policy, I will not be linking to the torrent, although it appeared to still be available as of this morning.