Remember the old meme about how many <whatever your profession was> does it take to change a lightbulb? This week felt like, “How many people does it take to get very sensitive data locked down?” But there was nothing funny about it.
Spoiler alert: the answer for this week was: 2 researchers, 1 journalist, 1 software vendor, 1 police department + a supporting cast.
Enter the first researcher, who set everything in motion:
On June 5, @JayeLTee started investigating an alert from one of his custom scans in May. His preliminary investigation did not spot any clear owner of the data, but having spotted two forensic phone extraction reports using Magnet Graykey software that named the phone owners, seeing folder and file names relating to child sexual abuse, “Homicide,” “Evidence,” and a news story about a Montana police officer’s suicide where the name was the same name as on the phone extraction file, he knew this was something serious. Was this a vendor’s data storage, a government agency’s, or neither? Given the sensitive nature of what he had spotted, he wasn’t about to open a lot of files to try to determine who to contact.
Read JayeLTee’s post about the incident.
Enter the second researcher:
On June 12, @JayeLTee turned to Martin Seeger (@masek) for assistance in identifying the owner of the data and in making the responsible disclosure to get it secured. As described in his post-mortem timeline, Seeger then reached out to an ex-employee of the FBI and to others on infosec.exchange, seeking contact information for the forensics software vendor.
On June 17, Seeger made contact with the extraction software vendor and provided them with information about the extraction report. They were able to identify their client and informed him that they would notify them.
Read Martin Seeger’s Timeline and Commentary about the Incident
Enter the journalist:
At the same time Seeger was reaching out to the vendor, DataBreaches was reaching out to the former Governor and former Attorney General of Montana, Steve Bullock, via LinkedIn. He never replied. But DataBreaches also reached out to the Bozeman Police Department in Montana, whose name had shown up in a file list @JayeLTee had provided. DataBreaches explained the situation in the contact form and mentioned that the police department’s name had shown up in the leak. “Please call me for IP addresses and more info,” the entry ended.
They did, and promptly. Detective Captain Dana McNeil of the Bozeman Police Department called to get the IP addresses and more information. It was clear he understood the situation and already had some ideas about the source of the leak. DataBreaches gave him the IP addresses over the phone and emailed him some additional information JayeLTee had provided.
It wasn’t long before Captain Detective McNeil contacted DataBreaches again to say that he had reached the lab, which informed him that they were already aware of the situation, having also been alerted minutes earlier by their vendor.
Following Up
DataBreaches has been involved in responsible disclosure and alerting entities to breaches or leaks for more than a decade now. Some leaks or breaches involve very sensitive personal data, and by very sensitive, DataBreaches is usually talking about medical information that could be stigmatizing or affect employment or social opportunities. In this case, though, DataBreaches was very concerned because the files were involved in investigations into serious crimes such as child sexual abuse and homicide.
If the files were accessed by others, could investigations into serious crimes be compromised by editing or otherwise altering the files? Could defense attorneys seek to have convictions overturned by claiming that evidence used to convict their client may have been corrupted at some unknown date? Could child victims be revictimized if there were actual images stored on the exposed shares?
DataBreaches asked @JayeLTee about the ability to write on the exposed files, but he did not know as he does not routinely check permissions on files that he find unsecured.
On his post-mortem timeline, Seeger sees the following threats from this leak:
- Integrity and Confidentiality of investigations into serious crimes compromised
- Privacy of U.S. citizens compromised (very likely to contain most intimate data)
- Providing 3rd parties hostile to the U.S. with blackmail material
All of those sound plausible.
There’s Much We Don’t Yet Know
Seeger identifies a number of security failures he found in the current incident. DataBreaches is not a security professional and is not qualified to comment, but an investigation is clearly warranted and changes likely need to be made to prevent another incident of this kind.
As this site often does in the aftermath of a breach or leak, DataBreaches reached out to the state to ask them about their response. Emails were sent to the state’s Forensic Science Divison, which is responsible for the state forensic laboratories. The Forensic Science Division is under the Department of Justice, and Attorney General Austin Knudsen sits on the Forensic Science Laboratory Advisory Board.
No replies have been received as yet to email inquiries sent to Travis Spinder, the head of the forensic science division, and Attorney General Knudsen in his capacity as advisor to that division and as state Attorney General, but this post will be updated when replies are received.