DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

A state forensics lab was leaking its files. Getting it locked down involved a number of people.

Posted on June 22, 2025 by Dissent

Remember the old meme about how many <whatever your profession was> does it take to change a lightbulb?  This week felt like, “How many people does it take to get very sensitive data locked down?” But there was nothing funny about it.

Spoiler alert: the answer for this week was:  2 researchers, 1 journalist, 1 software vendor, 1 police department + a supporting cast.

Enter the first researcher, who set everything in motion:

On June 5, @JayeLTee started investigating an alert from one of his custom scans in May. His preliminary investigation did not spot any clear owner of the data, but having spotted two forensic phone extraction reports using Magnet Graykey software that named the phone owners, seeing folder and file names relating to child sexual abuse, “Homicide,”  “Evidence,” and a news story about a Montana police officer’s suicide where the name was the same name as on the phone extraction file, he knew this was something serious. Was this a vendor’s data storage, a government agency’s, or neither? Given the sensitive nature of what he had spotted, he wasn’t about to open a lot of files to try to determine who to contact.

Read JayeLTee’s post about the incident.

Enter the second researcher:

On June 12, @JayeLTee turned to Martin Seeger (@masek)  for assistance in identifying the owner of the data and in making the responsible disclosure to get it secured. As described in his post-mortem timeline, Seeger then reached out to an ex-employee of the FBI and to others on infosec.exchange, seeking contact information for the forensics software vendor.

On June 17, Seeger made contact with the extraction software vendor and provided them with information about the extraction report. They were able to identify their client and informed him that they would notify them.

Read Martin Seeger’s Timeline and Commentary about the Incident

Enter the journalist:

At the same time Seeger was reaching out to the vendor, DataBreaches was reaching out to the former Governor and former Attorney General of Montana, Steve Bullock, via LinkedIn. He never replied. But DataBreaches also reached out to the Bozeman Police Department in Montana, whose name had shown up in a file list @JayeLTee had provided. DataBreaches explained the situation in the contact form and mentioned that the police department’s name had shown up in the leak. “Please call me for IP addresses and more info,” the entry ended.

They did, and promptly. Detective Captain Dana McNeil of the Bozeman Police Department called to get the IP addresses and more information. It was clear he understood the situation and already had some ideas about the source of the leak. DataBreaches gave him the IP addresses over the phone and emailed him some additional information JayeLTee had provided.

It wasn’t long before Captain Detective McNeil contacted DataBreaches again to say that he had reached the lab, which informed him that they were already aware of the situation, having also been alerted minutes earlier by their vendor.

Following Up

DataBreaches has been involved in responsible disclosure and alerting entities to breaches or leaks for more than a decade now. Some leaks or breaches involve very sensitive personal data, and by very sensitive, DataBreaches is usually talking about medical information that could be stigmatizing or affect employment or social opportunities. In this case, though, DataBreaches was very concerned because the files were involved in investigations into serious crimes such as child sexual abuse and homicide.

If the files were accessed by others, could investigations into serious crimes be compromised by editing or otherwise altering the files? Could defense attorneys seek to have convictions overturned by claiming that evidence used to convict their client may have been corrupted at some unknown date? Could child victims be revictimized if there were actual images stored on the exposed shares?

DataBreaches asked @JayeLTee about the ability to write on the exposed files, but he did not know as he does not routinely check permissions on files that he find unsecured.

On his post-mortem timeline, Seeger sees the following threats from this leak:

  • Integrity and Confidentiality of investigations into serious crimes compromised
  • Privacy of U.S. citizens compromised (very likely to contain most intimate data)
  • Providing 3rd parties hostile to the U.S. with blackmail material

All of those sound plausible.

There’s Much We Don’t Yet Know

Seeger identifies a number of security failures he found in the current incident. DataBreaches is not a security professional and is not qualified to comment, but an investigation is clearly warranted and changes likely need to be made to prevent another incident of this kind.

As this site often does in the aftermath of a breach or leak, DataBreaches reached out to the state to ask them about their response. Emails were sent to the state’s Forensic Science Divison, which is responsible for the state forensic laboratories. The Forensic Science Division is under the Department of Justice, and Attorney General Austin Knudsen sits on the Forensic Science Laboratory Advisory Board.

No replies have been received as yet to email inquiries sent to Travis Spinder, the head of the forensic science division, and Attorney General Knudsen in his capacity as advisor to that division and as state Attorney General, but this post will be updated when replies are received.

Category: Commentaries and AnalysesExposureGovernment Sector

Post navigation

← CoinMarketCap Hacked, Scrambles to Remove Malicious Wallet Verification Popup

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • A state forensics lab was leaking its files. Getting it locked down involved a number of people.
  • CoinMarketCap Hacked, Scrambles to Remove Malicious Wallet Verification Popup
  • Montana Attorney General launches investigation into Lee Enterprises data breach
  • AT&T gets preliminary approval for $177 million data breach settlement
  • Aflac notifies SEC of breach suspected to be work of Scattered Spider
  • Former JBLM soldier pleads guilty to attempting to share military secrets with China
  • No, the 16 billion credentials leak is not a new data breach — a wake-up call about fake news (Updated)
  • Tonga’s health system hit by cyberattack (1)
  • Russia Expert Falls Prey to Elite Hackers Disguised as US Officials
  • Proposed class action settlement in In re Netgain Technology litigation

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • The Markup caught 4 more states sharing personal health data with Big Tech
  • Privacy in the Big Sky State: Montana’s Consumer Privacy Law Gets Amended
  • UK Passes Data Use and Access Regulation Bill
  • Officials defend Liberal bill that would force hospitals, banks, hotels to hand over data
  • US Judge Invalidates Biden Rule Protecting Privacy for Abortions
  • DOJ’s Data Security Program: Key Compliance Considerations for Impacted Entities
  • 23andMe fined £2.31 million for failing to protect UK users’ genetic data

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.