Police Contractor That Promised to Track Homeless People Hacked

Hackers have stolen more than 15GB of data from ODIN Intelligence, a law enforcement contractor which, among other things, recently had plans to track people experiencing homelessness with facial recognition. The cache includes a bevy of sensitive information, such as photos, reports, and other ODIN customer and internal data.

In one directory called “gallery” are 5,900 files. These include images such as mugshots, people, homes, vehicles, and peoples’ tattoos. Some of the files include identifying information, such as the name of the person in the filename or identity and Social Security cards. 

Other files include field interrogation reports,  and sex offender registration information. ODIN runs Sex Offender Notification and Registration (SONAR), a system used by local and state police for tracking sex offenders. The dump also included some polygraph reports, including of convicted sex offenders.

One file contains what appears to be user login information. This includes two FBI email addresses.

The data also contains what appears to be internal ODIN test data. One folder of more than 140 audio files contains many recordings of someone testing the app.

Reports generated by ODIN’s app SweepWizard are also included in the data. Law enforcement can use SweepWizard to coordinate the execution of search warrants or raids. Some of these reports contain false names of “organizing officers” such as “Superman” and “Captain America.” It is unclear if these are fabrications or placeholders for test purposes. ODIN’s CEO Erik McCauley is listed as a “commanding officer” in some reports. ODIN did not respond to a request for comment.

Transparency organization Distributed Denial of Secrets obtained the hacked data and shared it with Motherboard. 

ODIN offers law enforcement a variety of products. Last year, Motherboard reported on an ODIN brochure for a product called the Homeless Management Information System, or HMIS. “Police use ODIN facial recognition to identify even non-verbal or intoxicated individuals,” the brochure read.

Earlier this month, WIRED reported on a vulnerability in SweepWizard. After receiving a tip, WIRED found that anyone visiting a specific URL was able to view data from the SweepWizard app. WIRED said it found personal information about suspects which could tip off people that they were going to be raided. In response, ODIN removed the app from the Google Play and Apple App Store. 

McCauley told WIRED in a statement at the time “ODIN Intelligence Inc. takes security very seriously.  We have and are thoroughly investigating these claims.” He added, “Thus far, we have been unable to reproduce the alleged security compromise to any ODIN system. In the event that any evidence of a compromise of ODIN or SweepWizard security has occurred, we will take appropriate action.” Captain Jeffery Bratcher, an LAPD official, told WIRED that the department is taking the issue seriously. “Operational security is always paramount to us. We don’t want people to know when and if we are coming,” he said.

Then on Sunday, TechCrunch reported hackers had defaced ODIN’s website. The hackers claimed to have stolen data from the company too. Distributed Denial of Secrets told TechCrunch it received this data.

“ACAB,” the message read. “All (cyber-) cops are bastards! No nations! No borders! We are all illegal!” 

At the time of writing, ODIN’s website is offline.

Subscribe to our cybersecurity podcast, CYBER. Subscribe to our new Twitch channel.