- Hacktivists known as FocaLeaks claim to have hacked and exfiltrated data on 37,000 agents of Policía Nacional Civil de El Salvador (PNC).
- The information can allegedly be used to access government records on all citizens and to access criminal investigations.
Ransomware attacks on police departments have made headlines a number of times over the past few years — especially the Babuk attack and dump of D.C. Police files that contained personnel information as well as alleged files concerning confidential informants.
But while ransomware has been grabbing headlines, old-fashioned hacktivism is still a thing, as the recent incident involving Epik demonstrates. And right now, the police force of El Salvador and the residents of that country appear to be at significant risk of exposure of personal and sensitive data.
DataBreaches.net was first made aware of the “FocaLeaks” operation by DDoSecrets.com, a site that serves as a non-profit transparency collective. Through them, DataBreaches.net made contact with a spokesperson for FocaLeaks to get more information. All communications with FocaLeaks’ spokesperson were conducted in English.
The breach has been previously reported in the media by David Bernal on La Prensa Gráfica on September 9.
Who is FocaLeaks?
FocaLeaks describes itself as the collaborative effort of individuals in Latin America and Europe. Their goal, according to their spokesperson, is to “exert pressure on governments with authoritarian and populist tendencies to destabilize their power and generate discontent among the population.” While the FocaLeaks name is specific to activities involving El Salvador, the group claims to have access to various government systems, documents, and databases from other countries as well.
“FocaLeaks” as an operation or group has been active for less than a month, and derives its name from a derisive term for the government and police of El Salvador used by the opposition or anti-government elements: “foca” means “seal.”
When asked whether they engage in disruptive activities such as destroying databases, the spokesperson responded:
Normally we obtain information from various sources, we store it and use it as an intelligence resource, we are not noisy, we do not cause damage to the infrastructure. It is not our purpose, we have been in their systems for years without problems.
The spokesperson, who will be referred to here as “John Doe” (no relative of Dissent Doe, however), made a point of noting that FocaLeaks is not affiliated with any existing popular movement or political party. Nor, Doe said, do they have any special grudge against the El Salvador police, “apart from lending themselves to illegal arrests like [Mario Gómez’s] — his arrest and seizure of devices was irregular and illegal.”
Somos los que vamos a equilibrar la balanza de el poder. Hemos estado observando sus actos desde hace mucho tiempo, hemos visto sus pecados, los hemos pesado en la balanza y han sido hallados deficientes. El día que han decidido atropellar a Mario derramaron la gota que colmó el vaso. Tenemos acceso a diversos sistemas gubernamentales, documentos y bases de datos, aquí les dejamos nuestra primera muestra, si no desisten en su proceder vamos a hacer el mundo arder, nada estará oculto, somos la luz. Vamos a exponer información personal de cada miembro de las fuerzas armadas, policía nacional civil, políticos, no se escapará nadie. Somos una idea, la idea de que pensar diferente no es un crimen, controlar el flujo de la información si lo es. #LiberenaMario
— Statement by FocaLeaks
The Cyberattack on the El Salvador Police
Doe would not provide specific details about their methods, only telling DataBreaches.net that while in a police station, they had spotted keys and user information stuck on a wall. And that, Doe, says, was the beginning of it all.
“Our team has exploited flaws in their mobile application to access or manage to dump the information, given its poor authentication, Doe told this site, adding, “You’d be surprised how little these people securitize (sic) their APIs.”
The Data Dump
DDoSecrets has made a redacted data set available to the public. DataBreaches.net has decided to only provide one heavily redacted sample of the kinds of records in each of two files provided by FocaLeaks to this site.
One set of data has records that look like this:
ONI: [redacted]
NOMBRE: [redacted]
Datos policiales: [redacted]
INTERPOL/DEPARTAMENTO BUSQUEDA INTERNACIONAL DE PERSONAS FUGITIVAS Y EXTRADICCIONES/RANGO:[redacted]
TEL INSTITUCIONAL: [redacted]
Usuario de Imperium: [redacted]
DUI: [redacted]
ESTADO: ACTIVO
The other data set has records that look like this:
{“id”:”[redacted]”,”oni”:”[redacted]”,”numero”:”[redacted]”,”Correo”:”[redacted]”,”upd”:”[redacted]”,”imei”:”[redacted]”, pin: “[redacted]”
Data for the two sets agree.
Without going into detail here, one data set contains the logins to the Policía Nacional Civil de El Salvador (PNC) system. According to FocaLeaks, spoofing the IMEI allows someone to access a custom police app which can then be used to access a platform to obtain other data that will enable them to access the “Imperium” platform. Although DataBreaches.net knows the names of the app and platform, they are not being named here. Doe provided us with screencaps taken from within the custom app and one of the platforms. Doe also provided us with specific steps to follow to access Imperium. To protect the safety of others, we are not reporting those steps. We note that while Doe was able to provide us with screencaps from the custom app and a platform, there was no screencap provided from within “Imperium,” despite our request. While that lack of proof is a bit concerning, we note that when we contacted the PNC, they did not deny the claimed hack. Their national security advisor was cc: on their statement, described more later in this post.
According to Doe, the “Imperium” platform contains criminal investigations, but it also contains civil records that include the government’s information on every individual in the country, including their rank, telephone number, email address, license plate information, and identity documents.
If FocaLeaks’ claim is accurate, then there is a significant security risk as IMEI numbers cannot be changed, and access to the Imperium platform could potentially be misused to find and retaliate against informants or others, or to attempt to extort people who may be under investigation. It might also potentially be used to take over individuals’ identities for fraudulent purposes.
Supporting FocaLeaks’ claim, reporting by La Prensa Gráfica indicates that at least several members of the police force did find their information in an earlier leak of unredacted data, and some have reportedly filed complaints with the prosecutor’s office because they believe they are now in danger.
PNC’s Response
DataBreaches.net did not attempt to test specific claims or directions Doe provided to this site as to how to access Imperium, as that would violate this country’s hacking laws. This site did attempt to contact the PNC, however, to ask them if they would confirm the claimed hack and what they have done in response to the claims. As reported previously elsewhere, the police clearly know about it, as they tweeted about it earlier this month, e.g.”
Se ha conocido que hackers habrían infiltrado la base de datos informáticos de la @PNCSV la cual contiene la información institucional con nombre de cada elemento policial y lugar donde está destacado.
— M.T.P. (@moverderechopnc) September 2, 2021
Hackers have been known to have infiltrated the computer database of the @PNCSV which contains the institutional information with the name of each police element and the place where it is highlighted.
and:
Y el @Director_PNC a horas se va a pronunciar sobre la vulneración de la base de datos informáticos de la @PNCSV, donde se expone el nombre, ONI, DUI, teléfono y lugar donde están destacados el personal policial.
(mensaje del hackeo) ? pic.twitter.com/7pDWHKn5TP
— M.T.P. (@moverderechopnc) September 2, 2021
And the @Director_PNC a few hours will pronounce on the violation of the computer database of the @PNCSV, where the name, ONI, DUI, telephone number and place where the police personnel are highlighted are exposed. (message from the hack):
According to Doe, PNC took their site down a few days after discovery of the breach, and it is down as of the time of this publication. As of September 3, the PNC’s Information Technology and Telecommunications Unit (UTIT) reportedly assumed 100% control of the Imperium System.
DataBreaches.net’s email inquiry to PNC was cc:d to their national security agency. The inquiry included two unredacted records (one from each of two files FocaLeaks provided to this site) with a request that they indicate whether the data came from their system or not.
We received a reply from their national security agency. They appeared to be treating what was clearly indicated as a media/press inquiry as a complaint and they assigned it a complaint number. The body of the reply (addressed to @Chum1ng0) read:
Estimado Chum: Hemos adjunto al Asesor para darle seguimiento a lo que expone. Esperemos el debido proceso de validar ciertos datos y encontrar una solución viable.
Saludos
That seems to be saying that they have referred our inquiry to their National Security Advisor who will hopefully determine if the data can be validated. So more than two weeks after data were initially leaked, and more than two weeks after the web site was taken down, they are not confirming the claimed hack, but they are not refuting it either.
Any Ethical Concerns?
DataBreaches.net asked Doe whether they have any ethical or moral concerns that people will be harmed if people just start accessing investigations because FocaLeaks made this dump public. Doe responded:
The truth is, no, I think that some things should be available to everyone, and more so when the people who should be concerned about protecting that information do not seem to care.
In some countries, police officers’ personal information is protected — it is not included in databases with addresses and telephone numbers. Not knowing the practice in El Salvador, DataBreaches.net asked Doe whether FocaLeaks was putting officers at risk with this dump. They replied:
In Latin American countries the rates of police abuse is very high, we believe that this database will be a useful tool to deal with these abuses.
DDoSecrets
FocaLeaks has provided DDoSecrets with unredacted data on 37,000 active agents. Doe claims that they also have data on other agents who are currently inactive or discharged, but those data have not been given to DDosSecrets.
DDoSecrets and DataBreaches.net agreed that neither of our sites would reveal certain information that could put people at risk of harm. As a result, DDoSecrets has redacted certain elements from the data records.
You can find DDoSecret’s redacted data set and coverage at https://ddosecrets.com/wiki/El_Salvador_Police_Database.
Reporting by Dissent in collaboration with DDoSecrets. Additional research by Chum1ng0.
Note: DataBreaches.net has learned that several years ago, data on PNC agents may have been up for sale on the dark web by someone claiming to be an “investigator” in El Salvador’s national intelligence agency. John Doe claims that the earlier incident had nothing to do with FocaLeaks and FocaLeaks never had those data. Nor, Doe states, was there ever any public data dump then.