P3 Global Intel claims that it has “quickly become the new standard in tip management for Crime Stoppers programs, [Law Enforcement Agencies], and government agencies helping to solve and prevent crimes around the world.”
Its software does what it says on the tin: It accepts tips from the general public and then manages conversations between law enforcement and the tipper. Many of these tips are, by their very nature, extremely sensitive, and disclosure of the tip could imperil people’s lives. P3 promises on its websites that “your anonymity is protected at all times.”
But earlier this month, hackers calling themselves the, err, “Internet Yiff Machine” released 93GB of data that they claim was pilfered from P3’s tip-taking system.
(“Yiff” is, in the words of a Wikipedia article on the subject that I would NOT CLICK ON AT WORK due to its drawing of a cheetah with human genitalia, “a slang term used in the furry fandom to refer to pornographic content of anthropomorphic animal characters.”)
The data was sent to Straight Arrow News and to the Distributed Denial of Secrets (DDoS) leak archive. Given its sensitivity, DDoS is not releasing the data to the public, but it will make it available to “established journalists and researchers.”
In its write-up on the leak, Straight Arrow News noted that the archive “contains extensive personal data on people accused by tipsters: names, email addresses, dates of birth, phone numbers, home addresses, license plate numbers, Social Security numbers and criminal histories.” It also includes replies from investigators.
The software certainly doesn’t look very sophisticated; the Web version (there’s also an app) is a basic form with a file upload box and lots and lots of text fields, including “Gang Activity,” “Anyone Else Abusing Victim,” “Scars, Marks, Tattoos, Piercings,” “Where exactly is the weapon located?” and “How are drugs sold?”
Facts Only
Actor: P3 Global Intel, hackers called "Internet Yiff Machine"
Event: Data breach and release of 93GB of sensitive personal information
Location: Not specified
Date: Not specified
Executive Summary
Full Take
In analyzing this situation, we must consider the implications for privacy and security in digital systems that handle sensitive data. The breach highlights vulnerabilities in these systems and raises questions about accountability and oversight. It also underscores the importance of protecting anonymity, particularly when dealing with whistleblowers or victims of crimes who may be at risk.
Patterns detected: ARC-0043 Motte-and-Bailey (the data is being withheld from the public under the guise of protection but will be made available to select individuals), ARC-0024 Ambiguity (the motivation and methodology of the hackers are not clearly stated).
Root cause: This incident reflects a broader trend of digital vulnerabilities in systems that handle sensitive data, which can have far-reaching implications for privacy and security.
Implications: The breach could compromise the safety and privacy of individuals involved, as well as undermine trust in systems designed to protect them. It also raises questions about the balance between security and transparency in these digital systems.
Bridge Questions: What measures can be taken to ensure the security and privacy of sensitive data? How can we strike a balance between accountability and anonymity in whistleblower or crime-reporting systems? What role should oversight play in protecting against such breaches in the future?